312-50V11 · Question #224
You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder
The correct answer is D. Report immediately to the administrator.. During a penetration test, discovering sensitive personal financial data imposes an immediate ethical and legal obligation to report the finding to the appropriate authority.
Question
You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator's bank account password and login information for the administrator's bitcoin account. What should you do?
Options
- ADo not report it and continue the penetration test.
- BTransfer money from the administrator's account to another account.
- CDo not transfer the money but steal the bitcoins.
- DReport immediately to the administrator.
How the community answered
(35 responses)- B9% (3)
- C3% (1)
- D89% (31)
Why each option
During a penetration test, discovering sensitive personal financial data imposes an immediate ethical and legal obligation to report the finding to the appropriate authority.
Failing to report discovered sensitive data violates the penetration tester's professional and contractual obligation to disclose all significant findings to the client.
Transferring money from the administrator's account constitutes financial fraud and is a serious criminal offense regardless of the penetration test context.
Taking bitcoins is theft and a criminal act, and no penetration test scope authorizes a tester to steal or misappropriate assets from the target.
A penetration tester operates under a strict code of ethics and a defined scope of engagement, and discovering sensitive personal data such as banking credentials must be reported immediately to the administrator or engagement owner. Accessing, transferring, or exploiting such data outside the agreed scope constitutes illegal activity and violates professional ethics. Prompt reporting protects both the client and the tester from legal liability.
Concept tested: Penetration testing ethics and responsible disclosure
Source: https://www.eccouncil.org/code-of-ethics/
Topics
Community Discussion
No community discussion yet for this question.