CompTIA PenTest+ (PT0-002) — Question 297

During an engagement with a financial institution, a penetration tester found hard-coded credentials in a publicly accessible code repository. Those credentials allowed the penetration tester to access PII from many of the institution’s customers and services that are hosted by a cloud provider. Which of the following actions should the penetration tester do next?

Answer options

• A. Proceed with the engagement and add the evidence in the final report
• B. Keep the found credentials and use them during the engagement
• C. Disclose the findings through a bug bounty platform
• D. Report the findings to the customer’s technical contact immediately

Correct answer: D

Explanation

The correct action is to report the findings to the customer's technical contact immediately to ensure they can address the security vulnerability. Keeping the credentials or disclosing findings through a bug bounty platform could lead to further risks or delays in remediation, while proceeding with the engagement without notifying the customer could compromise their data security.