[tptacek]

There's kind of a difference between clients and stakeholders gaming a pentest or spinning its results and pentesters not being authorized to test their targets. Even with basic web pentesting, rules of engagement particularly around which targets you're authorized to test is a big deal. This is a hell of a SNAFU.

[gotodengo]

Absolutely agreed. Especially since, in spite of my disagreement with the handling of things, the sheriff may have a point in the authorization angle.

My initial comment pointed more generally to an example of politics within a company though.

[tptacek]

Like: a scenario that comes up all the time in ordinary web application testing: your authorized target interacts with a third-party API, for which you are not authorized to test. Pentesters generally get this right, because if you get it wrong, no matter what your client tells you, you're liable. (Indemnification may come into play here, but it won't matter criminally).