I don't understand how using an external attack tool is grounds for anything. If Hamed could use it to search for exploits an attacker could have used it to search for exploits.
Especially if a students' information had been previously exposed and the attacker had access to everyone's personal information / passwords!
-- Edit : after reading his expulsion letter, it seems he supposedly injected SQL on both occasions. One imagines they strictly forbid him from doing so again. Sure, he probably should have asked for a sandbox system if he wanted to do ad hoc security research, but it is still quite a logical leap to actually expel him.
Either ways, the solution should be to fix the security system and reward the whistleblower. In a few years, we are going to have millions of teenagers with the competence and ability to pull of what Hamed did. What then?
Obviously those youngsters are all criminals that ought to be put to jail. We shall implement a zero-tolerance policy, just like the copyright industry did. </sarcasm>
Especially if a students' information had been previously exposed and the attacker had access to everyone's personal information / passwords!
-- Edit : after reading his expulsion letter, it seems he supposedly injected SQL on both occasions. One imagines they strictly forbid him from doing so again. Sure, he probably should have asked for a sandbox system if he wanted to do ad hoc security research, but it is still quite a logical leap to actually expel him.