I disagree with people who are drawing direct analogies between someone breaking into your property to test its security and cyber security pen-testing. To me, it's more like giving your money to a bank for safe keeping with the understanding they will protect it, and then wanting to test they are actually fulfilling their promise (e.g. by going to the bank and checking they have solid thick walls, and that entry to the vault is guarded properly). Even that's not a direct analogy, as you'll likely be compensated if the bank loses your money, but you'll rarely be compensated when your personal information is disclosed.
I also think there are some interesting questions raised by cloud computing. What if I were to deploy a purposefully insecure honeypot VM or application to the cloud, and an attacker managed to use that to mount an attack on other applications?
There seems to be a fundamental disagreement about the correct analogy.
Is it akin to going to a bank during normal business hours and using lawful powers of observation, i.e., implicitly authorized? Or is akin to breaking into the bank after its closed, or otherwise violating some implicit lack of authorization, e.g., going somewhere off-limits, such as trying to secretly enter the vault?
Because I think you'll recognize the inherit danger of allowing people to willy-nilly try and break into banks to "test they are actually fulfilling their promise".
