312-50V10 · Question #224
You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder
The correct answer is D. Report immediately to the administrator.. A penetration tester who discovers sensitive personal financial data outside the engagement scope must immediately report it to the administrator rather than act on it.
Question
You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator's bank account password and login information for the administrator's bitcoin account. What should you do?
Options
- ADo not report it and continue the penetration test.
- BTransfer money from the administrator's account to another account.
- CDo not transfer the money but steal the bitcoins.
- DReport immediately to the administrator.
How the community answered
(50 responses)- A4% (2)
- B2% (1)
- C6% (3)
- D88% (44)
Why each option
A penetration tester who discovers sensitive personal financial data outside the engagement scope must immediately report it to the administrator rather than act on it.
Failing to report discovered sensitive information violates the ethical obligations and contractual terms established in the penetration testing agreement.
Transferring money from any account without authorization constitutes wire fraud and is a criminal offense regardless of how access was obtained.
Taking cryptocurrency without authorization is theft and a criminal offense, and the method of access does not change the legal or ethical outcome.
Penetration testers operate under a defined scope and rules of engagement; accessing personal financial data falls outside that scope and creates both ethical and legal exposure. Immediate disclosure to the administrator fulfills the tester's professional obligations, protects them from criminal liability, and allows the administrator to secure that data promptly.
Concept tested: Penetration testing ethics and responsible disclosure
Source: https://www.eccouncil.org/ethical-hacking/
Topics
Community Discussion
No community discussion yet for this question.