During a penetration test, a penetration tester discovers a critical vulnerability that allows unauthenticated remote code execution on a public-facing web server. According to best practices for communication during a penetration test, what should the tester do next?
Trap 1: Document the finding and inform the client only after verifying…
While verification is good, the urgency of a critical finding requires immediate communication.
Trap 2: Wait until the end of the test to include it in the final report.
Waiting could leave the client exposed to exploitation without their knowledge.
Trap 3: Exploit the vulnerability to demonstrate the full impact before…
Exploiting without warning could cause unintended damage and is not ethical.
- A
Immediately notify the client of the critical finding and provide initial remediation steps.
Immediate notification allows the client to mitigate the risk promptly.
- B
Document the finding and inform the client only after verifying with a second tester.
Why wrong: While verification is good, the urgency of a critical finding requires immediate communication.
- C
Wait until the end of the test to include it in the final report.
Why wrong: Waiting could leave the client exposed to exploitation without their knowledge.
- D
Exploit the vulnerability to demonstrate the full impact before notifying the client.
Why wrong: Exploiting without warning could cause unintended damage and is not ethical.