While performing a network penetration test recently, I discovered a wide-open database that wasn't on the list of IP addresses provided by the client. It clearly belongs to them. Ethically, how should I handle this? Should I test it to show them the risk, or stop immediately because it's out of scope?
3 answers
Ethical hacking is about permission. Without explicit written permission for that specific IP, you are just an unauthorized intruder. Always protect yourself legally first.
Stop immediately and do not touch that asset. Testing anything outside the agreed "Rules of Engagement" (ROE) can lead to legal trouble, even if you have good intentions. The correct procedure is to document the IP and the service you noticed and immediately notify your primary point of contact at the client site. Ask them if they would like to include it in the current scope via a formal change order. Professionalism is about sticking to the contract. You’ve done your job by identifying it; let them decide if they want you to exploit it legally.
Was the database on the same subnet as the scoped items, or was it on a completely different network? Sometimes the client just forgot to add it to the list during the kickoff meeting.
That happens more often than you would think. In my experience, clients are usually grateful when you point out forgotten assets. However, Joseph's point about the subnet is important for your notes. I usually tell them that while I haven't tested it, its presence poses a significant risk to the scoped environment due to potential lateral movement. Always keep your communication in writing via email.
Margaret is 100% right. The contract is your shield. Touching out-of-scope items is the fastest way to lose your license or end up in court.