We’ve all heard about the four computer science students at the University of Malta that have been arrested after discovering a security flaw in Malta’s largest student application, FreeHour. The students claim that their efforts to warn the company about the vulnerability and the potential for a data breach were motivated by a desire to help protect users, not to exploit or harm them. However, their arrest and the confiscation of their equipment have prompted concerns that similar instances of ‘white-hat’ hacking could deter others from reporting flaws in software, thereby leaving users’ data vulnerable to malicious attacks. The issue of bug bounties also raises questions about how companies should compensate security researchers who identify flaws in their systems.