[gotodengo]

Absolutely agreed. Especially since, in spite of my disagreement with the handling of things, the sheriff may have a point in the authorization angle.

My initial comment pointed more generally to an example of politics within a company though.

[tptacek]

Like: a scenario that comes up all the time in ordinary web application testing: your authorized target interacts with a third-party API, for which you are not authorized to test. Pentesters generally get this right, because if you get it wrong, no matter what your client tells you, you're liable. (Indemnification may come into play here, but it won't matter criminally).