Code of Conduct

Introduction

This Code of Conduct establishes the fundamental principles and standards that guide our professional practice as a provider of source code and other audit services. It reflects our commitment to integrity, confidentiality, technical excellence, and ethical business practices in all our interactions with clients, partners, and the broader community.

Core Values

  • Integrity: We conduct our activities with honesty, transparency, and accountability.
  • Confidentiality: We protect sensitive information and respect privacy.
  • Technical Excellence: We maintain high standards of technical competence and accuracy.
  • Independence: We provide unbiased assessments free from conflicts of interest.
  • Responsibility: We take ownership of our work and its impact on clients and the organization.

Professional Conduct

1. Confidentiality and Data Protection

  • We treat all source code, systems, and information as strictly confidential.
  • We implement appropriate security measures to protect all data.
  • We access source code and systems only with proper authorization from a secure work environment.
  • We do not share any data, not even a client's name, unless we receive explicit permission to do so.
  • We comply with all relevant data protection and privacy legislation.
  • We maintain confidentiality agreements even after termination of client engagements.

2. Conflicts of Interest

  • We disclose all actual or potential conflicts of interest to clients.
    These conflicts of interest include but are not limited to:
    • Personal relationships (family, friendship, romantic relationships)
    • Professional relationships (former employer, former colleague, business partner)
    • Financial interests (shares, investments, loans)
    • Previous involvement in the development of the material to be audited
  • We maintain independence from software vendors whose products we evaluate.
  • We decline engagements where our independence may be compromised.
  • We do not accept incentives that could influence our audit results.

3. Technical Competence

  • We continuously develop and maintain our technical skills and knowledge.
  • We only accept assignments within our areas of competence.
  • We use methodical, evidence-based approaches to code assessment.
  • We stay informed about current security threats and vulnerabilities.
  • We recognize when issues require specialized expertise beyond our scope.

4. Quality of Service

  • We focus specifically on the questions and objectives formulated by the client.
  • We strictly adhere to the pre-agreed scope of the audit.
  • We document our findings clearly and accurately within the framework of the assignment.
  • We do not offer services or analyses outside the agreed scope without explicit permission.
  • We deliver services within agreed timelines and budgets.
  • We provide adequate follow-up within the boundaries of the original agreement.
  • If we identify matters outside the agreed scope that could represent significant improvement (business, technical, or otherwise), we report this to the client.

5. Client Relations

  • We communicate openly and honestly with clients.
  • We set realistic expectations about our services and results.
  • We respect clients' business objectives and constraints.
  • We provide objective advice based on technical merit, not commercial interests.
  • We respond promptly to client questions and concerns.
  • We maintain professional boundaries with the client and their employees.
  • We always approach quality issues from a constructive perspective, understanding that these are usually the result of necessary compromises and practical constraints.

6. Disclosure of Findings

  • We recognize that the ultimate responsibility for disclosure of vulnerabilities lies entirely with the client.
  • We advise the client on industry standard protocols for vulnerability disclosure if desired.
  • We can assist with the disclosure process upon request, without assuming the client's responsibility.
  • We absolutely respect the client's decision about whether, when, and how findings are made public.
  • We do not alert stakeholders or the public without explicit instruction from the client.
  • When legal obligations exist, we inform the client so they can take appropriate action themselves.

7. Intellectual Property

  • We respect intellectual property rights of clients and third parties.
  • We do not appropriate any source code or proprietary techniques.
  • We clearly distinguish between client source code and our own tools or solutions.
  • We properly attribute third-party source code and tools used in our work.
  • We protect our own intellectual property and proprietary methodologies.

8. Competitive Practices

  • We compete based on quality, value, and expertise.
  • We do not make false or misleading claims about competitors.
  • We do not attempt to gain access to competitors' proprietary methods or tools.
  • We respect confidentiality agreements with former clients when working with competitors.
  • We avoid anti-competitive practices.

9. Social Media, External Communication, and Confidentiality

  • We never disclose which clients we work or have worked with in any external context without explicit written permission (LinkedIn!).
  • We do not share findings, results, or project details on social media, during conferences, in private conversations, or in interactions with other clients.
  • We do not make comments that could implicitly or explicitly suggest we work or have worked with specific clients, in any social or professional context.
  • We are cautious about sharing technical details that, even without client reference, could be traced back to specific projects.
  • We avoid sharing opinions about the security status or code quality of products/services we may have audited, regardless of the setting (online, during presentations, in informal conversations).
  • When sharing general professional knowledge, we ensure it is not traceable to specific clients or projects.
  • We maintain the same professional standards in all environments, including social media, conferences, networking events, private conversations, and within friend circles.
  • We understand that confidentiality is a core aspect of our service that extends to all professional and personal interactions.

10. Compliance and Governance

  • We comply with all applicable laws and regulations.
  • We maintain appropriate business licenses and certifications.
  • We maintain clear retention periods and do not keep client data, source code, and audit results longer than strictly necessary for service delivery or legally required.
  • We maintain procedures for secure deletion of client data after the established retention period.
  • We uphold this code of conduct through internal governance structures.
  • We regularly evaluate and update this code of conduct to reflect evolving standards and practices.

Implementation

  • All employees and contractors must acknowledge and comply with this code.
  • A confidential channel is maintained for questions and reporting ethical or other concerns.
  • Violations of this code are subject to disciplinary action.
  • We encourage clients and partners to provide feedback on our adherence to these principles.

Conclusion

We believe that adhering to this Code of Conduct not only ensures the highest quality of service to our clients, but also contributes to building trust in the software industry and advancing the state of software security for the benefit of society as a whole.