312-50V11 · Question #481
A big company, who wanted to test their security infrastructure, wants to hire elite pen testers like you. During the interview, they asked you to show sample reports from previous penetration tests.
The correct answer is C. Decline but, provide references. Penetration testers must never share prior client reports, even redacted, because doing so breaches confidentiality obligations to those clients; providing references is the correct professional alternative.
Question
A big company, who wanted to test their security infrastructure, wants to hire elite pen testers like you. During the interview, they asked you to show sample reports from previous penetration tests. What should you do?
Options
- AShare reports, after NDA is signed
- BShare full reports, not redacted
- CDecline but, provide references
- DShare full reports with redactions
How the community answered
(24 responses)- A4% (1)
- B8% (2)
- C83% (20)
- D4% (1)
Why each option
Penetration testers must never share prior client reports, even redacted, because doing so breaches confidentiality obligations to those clients; providing references is the correct professional alternative.
Signing an NDA with the new company does not override the existing confidentiality obligations owed to the original client whose data appears in the report.
Sharing full, unredacted reports is a severe confidentiality breach that exposes prior clients' vulnerabilities and would violate any NDA or engagement contract signed with those clients.
Prior penetration test reports contain sensitive details about a client's vulnerabilities, architecture, and security gaps, all of which are covered under confidentiality agreements with that client. Declining to share protects those clients' interests, while offering professional references allows the prospective employer to verify competence without exposing confidential data.
Even redacted reports may retain enough detail (network diagrams, vulnerability classes, findings structure) to expose sensitive information about the prior client's environment.
Concept tested: Penetration tester confidentiality and professional ethics
Source: https://www.eccouncil.org/code-of-ethics/
Topics
Community Discussion
No community discussion yet for this question.