“I’m obligated to report if I see anything illegal according to the scope document.”
You message your team lead and inform her of the situation immediately. She responds that there are playbooks to follow for this situation and that she will immediately inform the RisottoCorp trusted agent about what you found. You’re instructed to hold off performing any further activity and hand over your engagement notes and screenshots to assist in the investigation. Luckily, you have all of that information in secure storage, so you oblidge.
The engagement is halted so that RisottoCorp can open an investigation. The RisottoCorp leadership let you know that this will not impact the contract and they consider your security testing to be complete and satisfactory.