In the professional penetration testing process, the discovery of a "critical" vulnerability—one that could lead to immediate system compromise or data loss—triggers a specific ethical and procedural response. While the ultimate goal of a pentest is to find weaknesses, the primary duty of an ethical hacker is to ensure the safety and security of the client’s environment. Therefore, when a critical flaw is identified, the tester must immediately inform the relevant stakeholders or technical teams so that a prompt solution or "hotfix" can be implemented.

This immediate reporting deviates from the standard "end-of-test" report delivery because critical vulnerabilities represent an "active risk". If a tester finds an unpatched, high-impact vulnerability that is publicly known, there is a high probability that a real attacker could exploit it while the pentest is still ongoing. By notifying the client immediately, the tester helps mitigate the risk of an actual breach occurring during the assessment. This process is often detailed in the "Rules of Engagement" (RoE) agreed upon before the test begins.

Once the "corresponding area" (such as the DevOps or Security Operations team) is informed, the tester documents the vulnerability with clear reproduction steps and remediation advice. The tester may then be asked to "re-test" the vulnerability after the fix has been applied to verify its effectiveness. This highlights the collaborative nature of ethical hacking; it is not just about "breaking in" (Option B), but about the strategic management of risk. Professionalism in pentesting is defined by this commitment to communication and the proactive protection of the client's assets, ensuring that vulnerabilities are closed as quickly as possible to minimize the window of opportunity for malicious actors.