Fwiw real breaches don’t care about parameters. I know the law doesn’t see it that way, and the pentesters probably should have cared a bit more but most contracts I see basically caveats reports to say ‘and any related systems’ which gives something that will cover basically anything that would be considered ‘reasonable’ in the court of law.
The purpose isn’t to be an asshole, it’s to actually raise issues when you’re otherwise limited by sleazy performance-paid project managers trying to limit your scope to basically nothing.
