A penetration tester requested, without express authorization, that a CVE number be assigned for a new vulnerability found on an internal client application. Which of the following did the penetration tester most likely breach?
A penetration tester requested, without express authorization, that a CVE number be assigned for a new vulnerability found on an internal client application. Which of the following did the penetration tester most likely breach?
The penetration tester most likely breached the NDA (Non-Disclosure Agreement). An NDA is a legal contract that ensures confidential information discovered during activities like penetration testing is not disclosed to unauthorized parties without proper authorization. By requesting a CVE number for a vulnerability found on an internal client application without express authorization, the tester violated the confidentiality and non-disclosure obligations outlined in the NDA.
C. NDA
it socks being one of the first to comments u dont get the opinion of the others C. NDA (Non-Disclosure Agreement) The penetration tester most likely breached the NDA (Non-Disclosure Agreement) by requesting a CVE number without express authorization. NDA agreements typically prohibit the disclosure of sensitive information or findings without prior consent, and in this case, requesting a CVE number for a vulnerability found on an internal client application without authorization would likely violate the terms of the NDA.
Given the nature of the action—requesting a CVE number for a vulnerability found in a client’s internal application without express authorization—the most directly relevant breach is: A. ROE (Rules of Engagement) The ROE would include what actions the penetration tester is authorized to perform, including how to handle vulnerability disclosures. By requesting a CVE number without authorization, the tester likely breached the agreed-upon rules and protocols defined in the ROE.
To get a CVE, you have to disclose information on the vuln found. This means breaking the NDA of your contract. However, it can also be assumed that you did this without consulting anyone, which means it's against your ROE, but why are you submitting a report to get a CVE during a pentest? I feel like data retention policies/NDAs are the more likely answer.
A. ROE (Rules of Engagement): The Rules of Engagement document outlines the boundaries, scope, and specific permissions granted for the penetration test. Requesting a CVE number for a vulnerability found in an internal client application without express authorization likely breaches the rules regarding the scope of actions the tester is allowed to perform, especially actions that involve public disclosure or external entities. -------- C. NDA: An NDA ensures that confidential information is not disclosed to unauthorized parties. While this is relevant to the unauthorized disclosure of information, the primary concern here is the specific actions allowed during the penetration test, which falls under ROE.
The penetration tester most likely breached the Non-Disclosure Agreement (NDA). An NDA is a legal contract that prohibits disclosing confidential information without proper authorization. By requesting a CVE number without express consent, the tester violated the confidentiality obligations outlined in the NDA. It’s crucial to adhere to ethical standards and follow established procedures when handling vulnerabilities.
Poorly worded question but in a nutshell, the tester has submitted their findings to outside of the company to get a CVE allocated to their finding without approval from the company. This is a direct violation of a NDA
Definitely is A
Seems to me they broke the rules of engagement and trying to cover with a found cve during vulnerability testing.