A pentester discovers a vulnerability in a client's web app. The Rules of Engagement clearly limit testing to the staging environment. The vuln also exists in production. The pentester exploits production to 'prove impact'. Is this legal/ethical?

• 1Both legal and ethical — proof of impact justifies it
• 2Legal because the client owns the system; unethical because it lies outside scope
• 3Neither — it exceeds authorized scope, so it is unauthorized access under most computer-misuse laws
• 4Ethical but not legal — the client cannot waive criminal law