Not really, they don't often advertise that you should attack their customers directly. The closest I can remember was the LifeLock guy putting his social security number up publicly.

Otherwise, they prefer you hit test or personal accounts rather than paying customers...

> The closest I can remember was the LifeLock guy putting his social security number up publicly.

ha. Did anything "good" (or bad) come of this?

quick search:

> Davis publicly posted his Social Security number as part of a 2007 ad campaign to promote the company's identity theft protection services. However, Davis was a victim of 13 cases of identity theft between 2007 and 2008.

https://en.wikipedia.org/wiki/LifeLock#:~:text=Davis%20publi....

Hacking accounts without consent of the victim is probably illegal. So normally you'd use an account you own (or your friend/colleague owns), but the challenge is excluding those. The company setting up special test accounts can be a good option as well, but needs to be done in good faith and is problematic when the attack is social engineering based.

So the challenge is either giving attackers permission to hack accounts of strangers, or requires the attacker to engage in potentially illegal behaviour. Neither of which is acceptable.

I assume this is just badly phrased, and what was actually intended was a requirement that the victim doesn't collude with or help the attacker.

You're not supposed to cause actual substantive changes to actual customers. In addition to being questionably ethical, that would usually disqualify a researcher from any possible bug bounties and forfeit legal protections offered by the program.

Well the CEO said they didnt think it was a problem because there is additional security (also a pin code required) to access the account. That is pretty standard for big companies. Saying that actually isnt a problem and either not fixing it or fixing it and not paying a bounty on it.

None of what you’re saying is true.

> Responsible Disclosure Programme needs to explicitly state that access to other users data is illegal and test/self owned accounts need to be used for security testing.

Why do you think so? You don’t lose out on any legal protections without explicitly stating that.

I think you meant legal protections for the security researcher? I was talking about legal troubles for the Namecheap.

Company can't encourage/allow security researchers to access private data of the users, at best this is against GDPR but it can also cause monetary damage to users which can be far worse.

No, this isn't "against GDPR".

If this tweet is being interpreted as namecheap granting permission to someone to try and access customers' data, it actually is against GDPR for namecheap to do so.

As data controller, namecheap has the following duty "the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject." (GDPR 28.1)

Of course, if that tweet is treated as empty boasting, then there are no consequences - but if you take it at face value, namecheap is granting permission to access data without a proper limiting contract, and it is explicitly illegal for namecheap to do so (GDPR 28.3 - "Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller"); they have a duty to ensure that any subcontractors or licensees or partners or whatever accessing the data do so only in a strictly controlled manner.

This is why every proper external pentest in EU will have explicit GDPR clauses about the limitations of personal data handling if the pentester/auditor has any chance of accessing systems with such data - it's not acceptable for a company to hire external auditors without such restrictions, they can't simply grant access to other peoples' data to third parties.

And before someone says "...but terms&conditions..", no, terms and conditions can't override law, these restrictions apply no matter what namecheap has contracted with the individuals whose data they're storing. There are some clauses of GDPR which state "don't do X without informing the data subject" (in which case the T&C might inform the customer that you'll be doing X) but that's not the case for these requirements.

> If this tweet is being interpreted as namecheap granting permission to someone to try and access customers' data, it actually is against GDPR for namecheap to do so.

I’m not sure that’s a credible interpretation, the CEO betting against you being able to work around their data protection measures does not turn you into a processor.

The big question is whether CEO betting against you being able to work around their data protection counts as namecheap permitting you to access that data.

If it does not (which IMHO is a reasonable interpretation), there is no issue and that's just empty boasting. But if it does, that's a violation - GDPR prohibits namecheap to allow anyone outside of company to handle that data without a proper controller-processor contract.

Not being a processor is a bad thing in this case, because being a processor is the only way how this can proceed legally. If you're not a processor, it's a violation for namecheap to give you that data; and if you're not a processor, it's a violation for you to process that data since you're also not a controller, you did not legally obtain this from the data subject, this is also not a purely household activity, no other exceptions seem to apply so the default condition applies i.e. that it's illegal for you to handle that data as you have no legal basis permitting it. (GDPR is a deny-by-default law; processing of private data is lawful if and only if specific conditions listed in GDPR are met. If some private data 'fell out of a truck', you can't legally do stuff with it).