Ethical hacking requires clear boundaries. Here are my rules.
Written Authorization
I never test without written authorization from someone legally empowered to approve testing. No exceptions.
Agreed Scope
I only test what's agreed upon. If I find something out of scope during testing, I'll notify you and wait for approval before proceeding.
Data Confidentiality
If I access sensitive data during testing, I don't copy it, store it, or disclose it. I only document the fact that access was possible.
Responsible Disclosure
If I find vulnerabilities in third-party systems or libraries, I follow responsible disclosure practices. Notify the vendor, wait for a fix, then disclose publicly if necessary.
No Harm
My goal is to find vulnerabilities, not cause damage. If there's a chance a test could impact production systems, we discuss it and use appropriate safeguards.
Honesty
I tell you what I find - good and bad. My job isn't to praise your security, it's to improve it.