nerdexam
Exams312-50V13Questions#579
EC-CouncilEC-Council

312-50V13 · Question #579

312-50V13 Question #579: Real Exam Question with Answer & Explanation

The correct answer is A: The organization is at fault because it did not fix all identified vulnerabilities.. Explanation Option A is correct because organizations bear the primary responsibility for their own security posture - when an ethical hacker identifies multiple vulnerabilities and the organization chooses to leave known weaknesses unaddressed, they accept the inherent risk, and

Submitted by alyssa_d· Mar 6, 2026Introduction to Ethical Hacking

Question

An organization suspects a persistent threat from a cybercriminal. They hire an ethical hacker, John, to evaluate their system security. John identifies several vulnerabilities and advises the organization on preventive measures. However, the organization has limited resources and opts to fix only the most severe vulnerability. Subsequently, a data breach occurs exploiting a different vulnerability. Which of the following statements best describes this scenario?

Options

  • AThe organization is at fault because it did not fix all identified vulnerabilities.
  • BBoth the organization and John share responsibility because they did not adequately manage the
  • CJohn is at fault because he did not emphasize the necessity of patching all vulnerabilities.
  • DThe organization is not at fault because they used their resources as per their understanding.

Explanation

Explanation

Option A is correct because organizations bear the primary responsibility for their own security posture - when an ethical hacker identifies multiple vulnerabilities and the organization chooses to leave known weaknesses unaddressed, they accept the inherent risk, and any resulting breach from those unfixed vulnerabilities falls squarely on their decision-making. Option B is incorrect because John fulfilled his professional obligation by identifying and reporting all vulnerabilities; shared responsibility would only apply if John had concealed findings or provided poor advice. Option C is incorrect because John's role as an ethical hacker is to identify and advise, not to dictate resource allocation decisions - there is no indication he failed to communicate the risks clearly. Option D is incorrect because "limited resources" does not absolve an organization of fault; knowingly leaving vulnerabilities unpatched after being warned constitutes a negligent security decision regardless of intent.

🧠 Memory Tip

Think of it like a car inspection: if a mechanic identifies multiple safety issues but you only fix one and later crash due to another known problem, you are responsible - not the mechanic. "You were warned = you own the risk."

Topics

#Vulnerability management#Risk management#Organizational responsibility#Security decision-making

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 312-50V13 PracticeBrowse All 312-50V13 Questions