Ethics & Laws Practice

Ground your technical skills in legal frameworks, professional ethics, and responsible disclosure practices.

1. Question

Which statement about authorization for ethical hacking is MOST accurate?

Verbal permission from any employee is sufficient to begin testingWritten authorization defining scope and timing is required before testingPublicly accessible systems can always be tested without permissionIf vulnerabilities are obvious, exploiting them is automatically legal

2. Question

Why is a well-defined scope document critical for an ethical hacking engagement?

It guarantees that no systems will ever be impactedIt clearly specifies what is in and out of bounds, reducing legal and operational riskIt allows testers to ignore client concernsIt replaces the need for any contract

3. Question

You discover sensitive personal data outside of scope during a test. What is the MOST ethical response?

Ignore it completely and delete any evidenceQuietly store a copy for future researchStop, preserve minimal evidence, and immediately inform the client following agreed channelsPublish the data to pressure the client to fix it

4. Question

Which of the following BEST describes responsible disclosure?

Publicly posting all details of a vulnerability immediately after discoveryPrivately notifying the affected party, giving them time to remediate before public disclosureSelling vulnerability details to the highest bidderNever sharing vulnerability details with anyone

5. Question

In many jurisdictions, which law area MOST directly governs unauthorized access to computer systems?

Tax lawEmployment lawComputer misuse or cybercrime legislationEnvironmental protection law

6. Question

Why is it important to avoid testing third-party systems that are not explicitly in scope, even if they are connected to the client?

Third-party systems are always secure by defaultYou may violate separate contracts and laws related to those systemsThey are never relevant to security postureThey cannot be exploited in practice

7. Question

Which behavior MOST clearly violates professional ethical standards in pentesting?

Reporting all findings, including minor onesUsing discovered credentials to access personal accounts outside the agreed scopeCoordinating testing windows to minimize disruptionRecommending defense-in-depth controls

8. Question

Why should testers avoid retaining client data or credentials after an engagement ends?

To reduce storage costs onlyBecause clients are responsible for their own data, not testersTo minimize risk of future breaches and comply with data handling obligationsBecause it is technically impossible to store such data

9. Question

Which of the following is the BEST reason to maintain detailed, accurate notes during an engagement?

To prove that you worked long hoursTo support clear reporting, reproducibility, and potential legal reviewTo avoid having to follow scope documentsTo share raw client data with third parties

10. Question

A bug bounty program explicitly forbids denial-of-service testing. What is the MOST appropriate action?

Ignore the restriction because you are helping securityPerform DoS tests but only during off-peak hoursRespect the rules and avoid any actions that could degrade availabilityPerform DoS tests if you first warn other researchers

Score: 0.0 / 10 (0 of 10 correct)