nerdexam
EC-Council

312-50V11 · Question #481

A big company, who wanted to test their security infrastructure, wants to hire elite pen testers like you. During the interview, they asked you to show sample reports from previous penetration tests.

The correct answer is C. Decline but, provide references. Penetration testers must never share prior client reports, even redacted, because doing so breaches confidentiality obligations to those clients; providing references is the correct professional alternative.

Information Security and Ethical Hacking Fundamentals

Question

A big company, who wanted to test their security infrastructure, wants to hire elite pen testers like you. During the interview, they asked you to show sample reports from previous penetration tests. What should you do?

Options

  • AShare reports, after NDA is signed
  • BShare full reports, not redacted
  • CDecline but, provide references
  • DShare full reports with redactions

How the community answered

(24 responses)
  • A
    4% (1)
  • B
    8% (2)
  • C
    83% (20)
  • D
    4% (1)

Why each option

Penetration testers must never share prior client reports, even redacted, because doing so breaches confidentiality obligations to those clients; providing references is the correct professional alternative.

AShare reports, after NDA is signed

Signing an NDA with the new company does not override the existing confidentiality obligations owed to the original client whose data appears in the report.

BShare full reports, not redacted

Sharing full, unredacted reports is a severe confidentiality breach that exposes prior clients' vulnerabilities and would violate any NDA or engagement contract signed with those clients.

CDecline but, provide referencesCorrect

Prior penetration test reports contain sensitive details about a client's vulnerabilities, architecture, and security gaps, all of which are covered under confidentiality agreements with that client. Declining to share protects those clients' interests, while offering professional references allows the prospective employer to verify competence without exposing confidential data.

DShare full reports with redactions

Even redacted reports may retain enough detail (network diagrams, vulnerability classes, findings structure) to expose sensitive information about the prior client's environment.

Concept tested: Penetration tester confidentiality and professional ethics

Source: https://www.eccouncil.org/code-of-ethics/

Topics

#pen test ethics#report handling#confidentiality#NDA

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice