[jrogers65]

> but his explanation doesn't jive with his actions.

I think it's perfectly congruent. An entity has your data as well as information on many other people. You come across and report a vunerability. You check that something was done about it. I see no holes in this (aside from the ones in Montreal college's security).

[borplk]

Just saying,

If he found the vulnerability without using Acunetix, why did he have to use Acunetix later to check if the same vulnerability has been fixed or not?

Couldn't he re-check using the same way that he initially found the vulnerability?

[jrogers65]

Perhaps he was using a wider net to see if there were any other problems which, given the level of (in)competence displayed by the techs working for the college, was a distinct possibility.

[thefreeman]

Exactly. Which is the definition of unauthorized penetration testing.