nerdexam
EC-Council

312-50V10 · Question #242

A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?

The correct answer is D. Notify the web site owner so that corrective action be taken as soon as possible to patch the. Responsible disclosure requires a researcher to report a discovered vulnerability directly to the affected organization so it can be patched before malicious actors exploit it.

Information Security and Ethical Hacking Fundamentals

Question

A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?

Options

  • ATry to sell the information to a well-paying party on the dark web.
  • BExploit the vulnerability without harming the web site owner so that attention be drawn to the
  • CIgnore it.
  • DNotify the web site owner so that corrective action be taken as soon as possible to patch the

How the community answered

(30 responses)
  • B
    7% (2)
  • C
    3% (1)
  • D
    90% (27)

Why each option

Responsible disclosure requires a researcher to report a discovered vulnerability directly to the affected organization so it can be patched before malicious actors exploit it.

ATry to sell the information to a well-paying party on the dark web.

Selling vulnerability data on the dark web is illegal under computer fraud and cybercrime statutes in most jurisdictions and directly enables malicious exploitation of the flaw.

BExploit the vulnerability without harming the web site owner so that attention be drawn to the

Exploiting a vulnerability on systems you do not own constitutes unauthorized access regardless of intent, violating laws such as the US Computer Fraud and Abuse Act and equivalent statutes globally.

CIgnore it.

Ignoring a known vulnerability leaves affected users exposed to potential exploitation by malicious actors who may independently discover the same flaw.

DNotify the web site owner so that corrective action be taken as soon as possible to patch theCorrect

Coordinated (responsible) disclosure is the industry-standard ethical practice where the finder privately notifies the vendor or site owner, provides details needed to reproduce and fix the issue, and allows a reasonable remediation window before any public announcement. This protects end users while ensuring the vulnerability is eventually resolved, and is recognized by frameworks such as ISO/IEC 29147.

Concept tested: Responsible (coordinated) vulnerability disclosure ethics

Source: https://www.iso.org/standard/72311.html

Topics

#responsible disclosure#vulnerability reporting#ethical hacking#security ethics

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice