OP discovered the state of Malta's InfoSec culture the hard way.
TLDR: infosec is screwed in Malta. The only people who benefit are malicious actors.
Some missing historical context is that there was no real legislation other than computer misuse up until the recent case known as the FreeHour case. A group of students discovered some pretty nasty vulnerabilities in an app aimed at matching student schedules. One of these vulns was exposing RW API keys for hundreds of student's google calendars, hanging out to dry on the open internet.
The students involved, together with one of their lecturers, sent a standard vuln disclosure notice via email to the company. Instead of what you'd expect, the students were arrested, strip searched and charged with computer misuse.
This really threw the entire local infosec scene off, with some very vocal voices saying how draconian the situation was. Finally they all receieved presidential pardons [1] although last I heard they don't have their hardware back yet. FreeHour and their tech supplier (never publicly mentioned but if you ask around you can find out who they are) never saw any consequences.
I've done two public disclosures [2] [3] which worked out well but only because I knew how to go about it. In such a tiny country is about who you know and how you know them, so in both cases I established contact via trusted intermediaries, both times ensuring I found someone who would know what I was talking about whilst also not immediately reach for the police.
I'm sitting on another issue I discovered because after a long conversation with CSIRT about it we figured the only way I can actually anonymously report it is by snail mailing it to them. I can't pull together the energy to complete it because I don't have the time right now in my life for another legal melodramatic situation.
Despite this, MITA (the government IT department) annually runs cybersec award ceremony [4]. I had once planned to nominate the students for the award but the nomination criteria forbids nominations for individuals who have "averse media publications" about them.
This is very much a deep socio-political problem in the country: we don't handle candour or bluntness of any kind in the public sphere. Being a very blunt person, it got me in all kinds of trouble growing up.
TLDR: infosec is screwed in Malta. The only people who benefit are malicious actors.
Some missing historical context is that there was no real legislation other than computer misuse up until the recent case known as the FreeHour case. A group of students discovered some pretty nasty vulnerabilities in an app aimed at matching student schedules. One of these vulns was exposing RW API keys for hundreds of student's google calendars, hanging out to dry on the open internet.
The students involved, together with one of their lecturers, sent a standard vuln disclosure notice via email to the company. Instead of what you'd expect, the students were arrested, strip searched and charged with computer misuse.
This really threw the entire local infosec scene off, with some very vocal voices saying how draconian the situation was. Finally they all receieved presidential pardons [1] although last I heard they don't have their hardware back yet. FreeHour and their tech supplier (never publicly mentioned but if you ask around you can find out who they are) never saw any consequences.
I've done two public disclosures [2] [3] which worked out well but only because I knew how to go about it. In such a tiny country is about who you know and how you know them, so in both cases I established contact via trusted intermediaries, both times ensuring I found someone who would know what I was talking about whilst also not immediately reach for the police.
I'm sitting on another issue I discovered because after a long conversation with CSIRT about it we figured the only way I can actually anonymously report it is by snail mailing it to them. I can't pull together the energy to complete it because I don't have the time right now in my life for another legal melodramatic situation.
Despite this, MITA (the government IT department) annually runs cybersec award ceremony [4]. I had once planned to nominate the students for the award but the nomination criteria forbids nominations for individuals who have "averse media publications" about them.
This is very much a deep socio-political problem in the country: we don't handle candour or bluntness of any kind in the public sphere. Being a very blunt person, it got me in all kinds of trouble growing up.
[1] https://timesofmalta.com/article/pardon-issued-students-lect...
[2] https://www.simonam.dev/accidental-pentest/
[3] https://www.simonam.dev/total-account-takeover/
[4] https://ncc-mita.gov.mt/cyber-awards/