Never exfiltrate real sensitive data beyond what is needed to prove the vulnerability - Never modify production data - Document exactly what you accessed and what you did not - Follow the RoE data handling procedures