| He mentioned in this[1] comment that his overall experience during the whole thing was positive, so there wasn't really any specific problem, other than the annoyance over having his accounts unexpectedly terminated after it was all over. But - Shit happens. Even legitimately contracted pentesters can run into legal issues. These guys[2] worked for a firm hired by the state court system to pen-test the courts (from application testing to physical building security), were ultimately arrested due to a power play, railroaded by an embarressed local authorities, had their charges trumped up to the point of being considered a felony, were disavowed by the powers that hired them who went into "cover our ass" mode, and ultimately spend 5 months fighting the charges before the state legislature ultimately pressured the local authorities to drop them. And even with the charges dropped, the felony arrest record was not expunged and has lasting damage/implications both personally and professionally. - In the above case, the client was not only the very same court/legal system overseeing their case, but also had an established, multi-year relationship with the security firm they worked for. Yet it still went that terribly wrong, took almost half a year to get legally resolved, and resulted in permanent felony arrest records. If things can go so terribly wrong for legitimately contracted professionals, how badly do you think it could go for a private citizen, with no official contract in place and only some form of written permission from the company that has not been vetted by a lawyer representing that individual's interests, and may not have even been vetted by that company's lawyers? - He was dealing with a bank. Who are subject to a massive amount of legal and regulatory requirements for their customers that are specific for the banking industry, all of which tend to get interpreted/applied from a conservative standpoint due to the risks and penalties they're subject to for non-compliance. - He was using his real, live accounts during the process. His actions could have easily triggered their fraud detection system to automatically generate and submit a SAR[3] due to "suspicious activity that might signal criminal activity* report for For example, it could have triggered. Even if someone fully aware of the situation (and granted permission) intercepted such a SAR before it was submitted, it may be decided that such actions from a private individual not contracted by the company to perform such work fit the threshold of "might signal" and still ultimately get submitted. Triggering who-knows-what downstream repercussions/investigations after it's submitted to the government. - Their responsible disclosure program[4] did not exist at the time, so there were no explicitly documented and legally vetted acceptable rules of engagement publicly available. It's possible that rules of engagement were part of his communications with them, but not mentioned in the article (nor again, vetted by a lawyer bound to represent his interests). So while there was ultimately no problem in this instance beyond the inconvenience of his accounts getting closed, doing so without the aid/guidance of legal counsel involved assuming an unknown and potentially substantial large amount of personal risk/liability in the process. Which is why it would be highly advisable for someone in a similar situation to speak to or retain a lawyer. [1] https://news.ycombinator.com/item?id=24990202 [2] https://www.darkreading.com/vulnerabilities---threats/pen-te... [3] https://www.occ.treas.gov/topics/supervision-and-examination... [4] https://responsibledisclosure.jpmorganchase.com/hc/en-us |