Ahmed Al-Khabaz, a 20 year old computer science student at Montreal's Dawson College, recently identified a major security flaw in the universities computer system. Instead of being thanked, or given a pat on the back, the student was expelled from the school.
Al-Khabaz was working on a mobile app that would gain students easier access to their college account, when he discovered what he described as "sloppy coding". The coding flaw allowed easy access to anyone wishing to find student's personal information stored in the system.
When brought to the attention of university officials, Al-Khabaz was promised that he would work with Skytech, the creators of the software in which the flaw was found, to resolve the issue. That call never came however. Two days later, Al-Khabaz ran another security check to see if the flaw had been fixed. It hadn't. A few minutes later he got a call from Edouard Teza, the president of Skytech. It was then that Al-Khabaz was accused of a cyber-attack and threatened with legal action.
"I saw a flaw which left the personal information of thousands of students, including myself, vulnerable," said Al-Khabaz. "I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn't think I was doing anything wrong."
Al-Khabaz was told that he could be jailed for six years if he did not sign an NDA about the flaw, and was rewarded with expulsion for bringing the major security flaw to the attention of officials. Of course there are two sides to every story, and I personally cannot wait to hear the universities side.