A man who claims he exposed a security weakness in the Justice Ministry's computer system is under investigation by the police, prompting criticisms of a heavy-handed approach to whistle-blowers.

Details of the "vulnerability" were made public in April, after the man - who says he was operating with the best intentions - tipped off Labour MP Clare Curran. She passed on details to Justice Minister Judith Collins and told officials he was prepared to co-operate in any way he could to ensure the flaw was fixed.

But on the same day Curran contacted her, Collins wrote back saying the "alleged security risk" appeared to be "a deliberate and malicious attempt to hack into the Ministry of Justice's IT systems".

Asked if she, her office or the ministry had contacted the whistleblower, Collins told Parliament: "The ministry and I do not deal with hackers and we do not deal with burglars." The matter was referred to the police and there is an ongoing investigation.

Curran said the approach was counterproductive because it would dissuade people from reporting future weaknesses.

She is also concerned that the police have sought information about the man from her, which she believes is a "grey area" that needs to be clarified.

"They bring material to you as a trusted MP. You should be able to use that wisely." It is understood the man's identity is not known to police, but he agreed to answer Fairfax Media's questions using an anonymous internet address and has offered police the same information.

"I'm not quite the blackhat hacker that the Ministry of Justice are making me out to be. If I were, I would have sold the information on and no one would know there was a security hole."

He said he found the vulnerability when a non-technical person contacted him and asked if there was something wrong with the way the SOLR search platform worked at the ministry.

He found that from the online panel he could get into the administration panel simply by guessing an address.

"Lo and behold I had access to the admin panel of SOLR - something I clearly shouldn't be allowed access to without being challenged for authentication of some sort."

Through that he could access data "which unfortunately for the MoJ contained multiple passwords relating to their databases callback schemes, and payment gateways; some Westpac Australia service.

"I probably could have logged in and had a look but obviously that's the line between accessing public information and private so I didn't." That's when he contacted Curran.

"I felt I couldn't go directly to the MoJ as I've seen the way that governments tend to react to someone disclosing a flaw or security issue."

His motives were to discover if there was something that needed to be fixed.