PT0-002 Question #363: Real Exam Question with Answer & Explanation

Question

During an engagement with a financial institution, a penetration tester found hard-coded credentials in a publicly accessible code repository. Those credentials allowed the penetration tester to access PII from many of the institution's customers and services that are hosted by a cloud provider. Which of the following actions should the penetration tester do next?

Options

• AProceed with the engagement and add the evidence in the final report
• BKeep the found credentials and use them during the engagement
• CDisclose the findings through a bug bounty platform
• DReport the findings to the customer's technical contact immediately

Explanation

When a penetration tester discovers a critical vulnerability, such as hard-coded credentials leading to PII exposure, they must immediately report it to the customer's technical contact. This urgent notification is crucial to prevent further data compromise and allow the organization to mitigate the risk promptly.

Common mistakes.

• A. Proceeding with the engagement without immediate notification of a critical finding like PII exposure is irresponsible and unethical, as it delays mitigation of an active threat.
• B. Keeping and using credentials that expose PII without immediate disclosure is unethical and could lead to further compromise or liability for the tester.
• C. Disclosing findings through a public bug bounty platform before reporting to the customer is inappropriate and could expose sensitive information to a wider audience, violating client trust and data privacy.

Concept tested. Penetration testing ethics and critical vulnerability reporting

No community discussion yet for this question.