nerdexam
EC-Council

312-50V11 · Question #242

A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?

The correct answer is D. Notify the web site owner so that corrective action be taken as soon as possible to patch the. Responsible disclosure requires notifying the affected organization when a vulnerability is discovered, giving them the opportunity to patch it before it can be exploited.

Information Security and Ethical Hacking Fundamentals

Question

A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?

Options

  • ATry to sell the information to a well-paying party on the dark web.
  • BExploit the vulnerability without harming the web site owner so that attention be drawn to the
  • CIgnore it.
  • DNotify the web site owner so that corrective action be taken as soon as possible to patch the

How the community answered

(17 responses)
  • C
    6% (1)
  • D
    94% (16)

Why each option

Responsible disclosure requires notifying the affected organization when a vulnerability is discovered, giving them the opportunity to patch it before it can be exploited.

ATry to sell the information to a well-paying party on the dark web.

Selling vulnerability information on the dark web is illegal and unethical, constituting active participation in cybercrime markets regardless of the seller's original intent.

BExploit the vulnerability without harming the web site owner so that attention be drawn to the

Exploiting a vulnerability without authorization is illegal under laws such as the CFAA even when harm is not intended, and it does not guarantee the owner will be alerted or will act.

CIgnore it.

Ignoring a known vulnerability leaves users and the organization exposed to exploitation by malicious actors, which is an irresponsible and harmful outcome.

DNotify the web site owner so that corrective action be taken as soon as possible to patch theCorrect

Notifying the web site owner follows the principle of responsible (coordinated) vulnerability disclosure, which gives the organization time to remediate the issue before it is publicly known or exploited by malicious actors. This ethical approach protects end users, preserves trust, and is the standard expected behavior in the security research community as outlined by organizations such as CISA and ISO 29147.

Concept tested: Responsible coordinated vulnerability disclosure ethics

Source: https://www.cisa.gov/coordinated-vulnerability-disclosure-process

Topics

#responsible disclosure#ethical hacking#vulnerability reporting#researcher ethics

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice