This story is somewhat complex, and lacks information on many aspects. I've made a kind of TLDR of what happened and added my thoughts. I've also cross compared
the informations given in the article with those available on dawson's college web page and Skytech's omnivox.
[he was] working on a mobile app to allow students easier access to their college account [.]
-> Did he have authorisation?
-> From who did he have authorisation?
-> Omnivox does not seem to have a public API.
“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,”
"I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”
-> Did he try to fix it, or only bring it to the attention of the college?
-> Did he inform the college he tried/would try to fix the flaw?
-> Did he try to fix the flaw after or before meeting with the college?
"Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately"
-> Mr. Paradis is Dawson's Director of Information Services and Technology
-> I precise only because it is not clear from the article if he works at the college or at Skytech
"Mr. Al-Khabaz decided to run a software program called Acunetix"
"to ensure that the issues he and Mija had identified had been corrected"
-> Did they use acunetix the first time?
-> If yes, did the college know? Did skytech noticed?
-> Otherwise, why? They found the flaw without acunetix
"Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line."
The administration of Dawson College clearly saw things differently, proceeding to expel Mr. Al-Khabaz for a “serious professional conduct issue.
Following this meeting, the fifteen professors in the computer science department were asked
to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour.
Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty
-> Was there other incidents that could have influenced the judgment?
-> College rarely want to expel students who ace all their courses. Especially in CS with the high rate of failure.
-> According to the college :
The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned
-> This, along with the "He said that this was the second time they had seen me in their logs" tend to indicate he probably ran the test multiple times. Or, the first time he foud the flaw, skytech took him for an attacked and the college warned him to stop developpement on his application. This would indicate that he had no authorisation in doing so.
[he was] working on a mobile app to allow students easier access to their college account [.] -> Did he have authorisation? -> From who did he have authorisation? -> Omnivox does not seem to have a public API.
“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” "I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.” -> Did he try to fix it, or only bring it to the attention of the college? -> Did he inform the college he tried/would try to fix the flaw? -> Did he try to fix the flaw after or before meeting with the college?
"Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately" -> Mr. Paradis is Dawson's Director of Information Services and Technology -> I precise only because it is not clear from the article if he works at the college or at Skytech
"Mr. Al-Khabaz decided to run a software program called Acunetix" "to ensure that the issues he and Mija had identified had been corrected" -> Did they use acunetix the first time? -> If yes, did the college know? Did skytech noticed? -> Otherwise, why? They found the flaw without acunetix
"Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line."
The administration of Dawson College clearly saw things differently, proceeding to expel Mr. Al-Khabaz for a “serious professional conduct issue.
Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty -> Was there other incidents that could have influenced the judgment? -> College rarely want to expel students who ace all their courses. Especially in CS with the high rate of failure.
-> According to the college : The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned
-> This, along with the "He said that this was the second time they had seen me in their logs" tend to indicate he probably ran the test multiple times. Or, the first time he foud the flaw, skytech took him for an attacked and the college warned him to stop developpement on his application. This would indicate that he had no authorisation in doing so.