Exam PT0-002 topic 1 question 311 discussion

it socks being one of the first to comments u dont get the opinion of the others C. NDA (Non-Disclosure Agreement) The penetration tester most likely breached the NDA (Non-Disclosure Agreement) by requesting a CVE number without express authorization. NDA agreements typically prohibit the disclosure of sensitive information or findings without prior consent, and in this case, requesting a CVE number for a vulnerability found on an internal client application without authorization would likely violate the terms of the NDA.

The ROE defines the boundaries, permissions, and constraints for a penetration test, including what is allowed and not allowed during the engagement. Requesting a CVE number could be considered an action outside the agreed-upon scope unless specifically authorized.

Requesting a CVE for a vulnerability discovered during a penetration test is disclosing private information exclusive to that test. This is a direct violation of any NDA that may of been signed to prohibit that information from being disclosed to the public

A. ROE (Rules of Engagement) The Rules of Engagement typically outline the scope, authority, and protocols for conducting a penetration test, including how vulnerabilities should be reported and whether they can be publicly disclosed. Requesting a CVE number without express authorization suggests a violation of these agreed-upon rules.

A. ROE (Rules of Engagement): The Rules of Engagement document outlines the boundaries, scope, and specific permissions granted for the penetration test. Requesting a CVE number for a vulnerability found in an internal client application without express authorization likely breaches the rules regarding the scope of actions the tester is allowed to perform, especially actions that involve public disclosure or external entities. -------- C. NDA: An NDA ensures that confidential information is not disclosed to unauthorized parties. While this is relevant to the unauthorized disclosure of information, the primary concern here is the specific actions allowed during the penetration test, which falls under ROE.

Given the nature of the action—requesting a CVE number for a vulnerability found in a client’s internal application without express authorization—the most directly relevant breach is: A. ROE (Rules of Engagement) The ROE would include what actions the penetration tester is authorized to perform, including how to handle vulnerability disclosures. By requesting a CVE number without authorization, the tester likely breached the agreed-upon rules and protocols defined in the ROE.

The penetration tester most likely breached the Non-Disclosure Agreement (NDA). An NDA is a legal contract that prohibits disclosing confidential information without proper authorization. By requesting a CVE number without express consent, the tester violated the confidentiality obligations outlined in the NDA. It’s crucial to adhere to ethical standards and follow established procedures when handling vulnerabilities.

Poorly worded question but in a nutshell, the tester has submitted their findings to outside of the company to get a CVE allocated to their finding without approval from the company. This is a direct violation of a NDA

Definitely is A

Seems to me they broke the rules of engagement and trying to cover with a found cve during vulnerability testing.

C. NDA

To get a CVE, you have to disclose information on the vuln found. This means breaking the NDA of your contract. However, it can also be assumed that you did this without consulting anyone, which means it's against your ROE, but why are you submitting a report to get a CVE during a pentest? I feel like data retention policies/NDAs are the more likely answer.