Did OP do that? I thought he said he did it in private time, so I assumed using private resources (the post is deleted now). Using work resources does change the situation, though if it's just about client-side systems and not IP space then it makes very little difference in practice. Especially if your employer lets you use hardware for private purposes (this is apparently very common for company phones and laptops in NL/BE/DE; personally I like to have clear boundaries there...), but we don't know if that was the case here iirc.
> destructive pen tests
That's not really what happened though, if I remember the post correctly. Running a GET without authorization header whatsoever on a beta application and getting back production data with secret payment tokens in it... you can't make that stuff up.
Did OP do that? I thought he said he did it in private time, so I assumed using private resources (the post is deleted now). Using work resources does change the situation, though if it's just about client-side systems and not IP space then it makes very little difference in practice. Especially if your employer lets you use hardware for private purposes (this is apparently very common for company phones and laptops in NL/BE/DE; personally I like to have clear boundaries there...), but we don't know if that was the case here iirc.
> destructive pen tests
That's not really what happened though, if I remember the post correctly. Running a GET without authorization header whatsoever on a beta application and getting back production data with secret payment tokens in it... you can't make that stuff up.