Let’s say you find a SQL database directly accessible from the internet. It’s the same story all over. There’s really no reason you should have this sort of system directly on the internet. There are much more secure ways to make this system available.

So why do we want to waste time as a tester to try and hack something we already know is insecure and why does the security manager need to pay more for this effort? The only real value is that you use this information to prove to other managers that this access needs to be shut down. So my argument here is that, once you find something that point blank doesn’t belong on the internet, your efforts as a company should be to put resources towards fixing the problem rather than proving that it’s a problem in the first place. It’s a waste of effort at this point.