nerdexam
EC-Council

312-50V11 · Question #403

A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician resea

The correct answer is D. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.. Responsible disclosure requires notifying the software vendor of a discovered vulnerability and withholding public disclosure until a patch is available, protecting users from exploitation.

Information Security and Ethical Hacking Fundamentals

Question

A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician researches the bug and discovers that no one else experienced the problem. What is the appropriate next step?

Options

  • AIgnore the problem completely and let someone else deal with it.
  • BCreate a document that will crash the computer when opened and send it to friends.
  • CFind an underground bulletin board and attempt to sell the bug to the highest bidder.
  • DNotify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.

How the community answered

(39 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    8% (3)
  • D
    87% (34)

Why each option

Responsible disclosure requires notifying the software vendor of a discovered vulnerability and withholding public disclosure until a patch is available, protecting users from exploitation.

AIgnore the problem completely and let someone else deal with it.

Ignoring the bug leaves other users vulnerable and fails the ethical obligation of a security-aware professional to improve security.

BCreate a document that will crash the computer when opened and send it to friends.

Creating and distributing a weaponized document is malicious, constitutes unauthorized damage under laws like the CFAA, and harms others.

CFind an underground bulletin board and attempt to sell the bug to the highest bidder.

Selling vulnerability information on underground markets is illegal and unethical, enabling criminal exploitation of unsuspecting users.

DNotify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.Correct

Responsible disclosure - also known as coordinated vulnerability disclosure - is the ethical and industry-standard practice where the researcher notifies the vendor privately, giving them reasonable time to develop and release a fix before public disclosure. This approach protects end users from malicious exploitation of the vulnerability while still ensuring the vendor addresses the issue. It balances transparency with harm prevention.

Concept tested: Responsible vulnerability disclosure practices

Source: https://learn.microsoft.com/en-us/legal/msrc/report-an-issue

Topics

#responsible disclosure#vulnerability reporting#ethics#coordinated disclosure

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice