EC-Council
312-50V9 · Question #271
312-50V9 Question #271: Real Exam Question with Answer & Explanation
The correct answer is C: Notify the web site owner so that corrective action be taken as soon as possible to patch the. When a researcher discovers a vulnerability, responsible disclosure requires notifying the affected organization directly so they can remediate it before malicious exploitation occurs.
Question
A well-intentioned researcher discovers a vulnerability on the web site of a major corporation. What should he do?
Options
- AIgnore it.
- BTry to sell the information to a well-paying party on the dark web.
- CNotify the web site owner so that corrective action be taken as soon as possible to patch the
- DExploit the vulnerability without harming the web site owner so that attention be drawn to the
Explanation
When a researcher discovers a vulnerability, responsible disclosure requires notifying the affected organization directly so they can remediate it before malicious exploitation occurs.
Common mistakes.
- A. Ignoring the vulnerability leaves it unpatched and exposes the organization's users to ongoing risk, which is an ethically negligent course of action.
- B. Selling vulnerability information on the dark web is illegal under cybercrime statutes, constitutes trafficking in sensitive exploit data, and directly harms the affected organization and its users.
- D. Exploiting a vulnerability without permission constitutes unauthorized access, which is illegal under laws such as the Computer Fraud and Abuse Act (CFAA) regardless of the researcher's stated intent or claimed lack of harm.
Concept tested. Responsible vulnerability disclosure ethics
Reference. https://www.cisa.gov/coordinated-vulnerability-disclosure-process
Community Discussion
No community discussion yet for this question.