An organization has contracted a penetration tester to assess their web application. The tester discovers an unpatched SQL injection vulnerability in the login form. What should the tester do FIRST?

  1. Continue testing without notifying the organization
  2. Immediately exploit the vulnerability to demonstrate impact
  3. Attempt to sell the vulnerability information
  4. Document the vulnerability and report it according to the RoE ✓

Correct answer: Document the vulnerability and report it according to the RoE

Option D is correct because a penetration tester's first obligation upon discovering a vulnerability is to document it thoroughly and report it in accordance with the Rules of Engagement (RoE), which govern the scope, communication protocols, and authorization boundaries agreed upon before the engagement began. Option A is incorrect because continuing to test without notification violates responsible disclosure practices and the contractual obligations of a professional engagement. Option B is incorrect because immediately exploiting the vulnerability without authorization or documentation could cause unintended damage, exceed the agreed scope, and expose the tester to legal liability. Option C is incorrect because attempting to sell vulnerability information is illegal, unethical, and constitutes extortion or unauthorized disclosure, which would be criminal.

Topic: · rules of engagement, penetration testing, responsible disclosure, vulnerability management

Practice CompTIA PenTest+ (PT0-002) Questions Free