One of the computer science students at Montreal's Dawson College has found security vulnerability in the network used by many colleges in Quebec. The discovered vulnerability compromised the security of 250,000 students’ personal details, but instead of appreciation the student was kicked out of college.

Ahmed Al-Khabaz, 20, was developing a mobile application to provide students easier access to their school account. However, in the process he and his partner found out a so-called “sloppy coding” which could allow easy access to personal details stored on the system. The student admitted that the vulnerability would make it possible for everyone having basic knowledge of computers to access social insurance numbers, phone numbers, and home addresses.

Ahmed explained that he noticed a flaw which left the personal details of thousands of students, including himself, vulnerable. So he felt he had a moral duty to bring the flaw to the attention of the college and help to fix it. That’s exactly what he did without hiding his identity behind a proxy, because he didn’t think he was doing something wrong.

Originally, the college tech director praised both students for their work and promised to work with Skytech, the developers of the system, in order to address the flaws. But two days later the student had to run another security check to make sure everything is fixed and immediately got a call from the president of Skytech, who claimed that his actions were tantamount to a cyber attack and started threatening the student with criminal charges and arrest.

Despite the fact that Ahmed repeatedly apologized and tried to explain that he was the one who discovered the flaw and was simply testing now, Skytech kept threatening him with jail sentence of 6 to 12 months. In addition, they made Ahmed meet their representative and sign a non-disclosure agreement.

Finally, Al-Khabaz was expelled and the non-disclosure agreement now prevents him from discussing confidential data he found on Skytech servers under pain of further legal consequences. In response, Skytech admitted that they contacted the student and mentioned police and legal consequences, but denied they did any threats. As if mentioning legal action and the police is not a threat...