None of what you’re saying is true.

> Responsible Disclosure Programme needs to explicitly state that access to other users data is illegal and test/self owned accounts need to be used for security testing.

Why do you think so? You don’t lose out on any legal protections without explicitly stating that.

I think you meant legal protections for the security researcher? I was talking about legal troubles for the Namecheap.

Company can't encourage/allow security researchers to access private data of the users, at best this is against GDPR but it can also cause monetary damage to users which can be far worse.

No, this isn't "against GDPR".

If this tweet is being interpreted as namecheap granting permission to someone to try and access customers' data, it actually is against GDPR for namecheap to do so.

As data controller, namecheap has the following duty "the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject." (GDPR 28.1)

Of course, if that tweet is treated as empty boasting, then there are no consequences - but if you take it at face value, namecheap is granting permission to access data without a proper limiting contract, and it is explicitly illegal for namecheap to do so (GDPR 28.3 - "Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller"); they have a duty to ensure that any subcontractors or licensees or partners or whatever accessing the data do so only in a strictly controlled manner.

This is why every proper external pentest in EU will have explicit GDPR clauses about the limitations of personal data handling if the pentester/auditor has any chance of accessing systems with such data - it's not acceptable for a company to hire external auditors without such restrictions, they can't simply grant access to other peoples' data to third parties.

And before someone says "...but terms&conditions..", no, terms and conditions can't override law, these restrictions apply no matter what namecheap has contracted with the individuals whose data they're storing. There are some clauses of GDPR which state "don't do X without informing the data subject" (in which case the T&C might inform the customer that you'll be doing X) but that's not the case for these requirements.

> If this tweet is being interpreted as namecheap granting permission to someone to try and access customers' data, it actually is against GDPR for namecheap to do so.

I’m not sure that’s a credible interpretation, the CEO betting against you being able to work around their data protection measures does not turn you into a processor.

The big question is whether CEO betting against you being able to work around their data protection counts as namecheap permitting you to access that data.

If it does not (which IMHO is a reasonable interpretation), there is no issue and that's just empty boasting. But if it does, that's a violation - GDPR prohibits namecheap to allow anyone outside of company to handle that data without a proper controller-processor contract.

Not being a processor is a bad thing in this case, because being a processor is the only way how this can proceed legally. If you're not a processor, it's a violation for namecheap to give you that data; and if you're not a processor, it's a violation for you to process that data since you're also not a controller, you did not legally obtain this from the data subject, this is also not a purely household activity, no other exceptions seem to apply so the default condition applies i.e. that it's illegal for you to handle that data as you have no legal basis permitting it. (GDPR is a deny-by-default law; processing of private data is lawful if and only if specific conditions listed in GDPR are met. If some private data 'fell out of a truck', you can't legally do stuff with it).