Code of Conduct

Introduction

This Code of Conduct establishes the fundamental principles and standards that guide our professional practice as a provider of source code and other audit services. It reflects our commitment to integrity, confidentiality, technical excellence and ethical business practices in all our interactions with clients, partners and the broader community.

Core values

  • Integrity: We conduct our business with honesty, transparency and accountability.
  • Confidentiality: We protect sensitive information and respect privacy.
  • Technical Excellence: We maintain high standards of technical competence and accuracy.
  • Independence: We offer unbiased reviews free of conflicts of interest.
  • Responsibility: We take ownership of our work and its impact on clients and the organization.

Professional Conduct

1. Confidentiality and Data Protection.

  • We treat all source code, systems and information as strictly confidential.
  • We implement appropriate security measures to protect all data.
  • We access source code and systems only with proper authorization from a secure work environment.
  • We do not share data, even a customer's name, unless we get explicit permission to do so.
  • We comply with all relevant data protection and privacy regulations.
  • We enforce confidentiality agreements even after client assignments are terminated.

2. Conflicts of interest

  • We disclose all actual or potential conflicts of interest to clients.
    These conflicts of interest include but are not limited to:
    • Personal relationships (family, friendship, romantic relationships)
    • Professional relationships (former employer, former colleague, collaborative partner)
    • Financial interests (shares, investments, loans)
    • Previous involvement in the development of the subject matter to be audited
  • We maintain independence from software vendors whose products we evaluate.
  • We refuse assignments where our independence may be compromised.
  • We do not accept incentives that may affect our audit results.

3. Technical Competence

  • We continuously develop and maintain our technical skills and knowledge.
  • We only accept assignments within our areas of competence.
  • We use methodical, evidence-based approaches to code review.
  • We stay abreast of current security threats and vulnerabilities.
  • We recognize when problems require specialized expertise beyond our scope.

4. Quality of Service

  • We focus specifically on the questions and goals formulated by the client.
  • We strictly adhere to the pre-agreed scope of the audit.
  • We document our findings clearly and accurately within the scope of the assignment.
  • We do not offer services or analysis outside the agreed scope without explicit consent.
  • We deliver services within agreed timelines and budgets.
  • We provide adequate follow-up within the limits of the original agreement.
  • If we identify issues outside the agreed scope that could represent a significant improvement (business, technical or otherwise), we notify the client.

5. Customer relations

  • We communicate openly and honestly with customers.
  • We set realistic expectations about our services and outcomes.
  • We respect clients' business objectives and constraints.
  • We offer objective advice based on technical merit, not commercial interests.
  • We respond quickly to customer questions and concerns.
  • We maintain professional boundaries with the client and their employees.
  • We always approach quality problems from a constructive perspective, understanding that they are usually the result of necessary compromises and practical constraints.

6. Disclosure of Findings.

  • We recognize that the ultimate responsibility for disclosure of vulnerabilities lies entirely with the customer.
  • We advise clients on industry standard vulnerability disclosure protocols if required.
  • We can assist in the disclosure process upon request, without taking over responsibility from the client.
  • We absolutely respect the client's decision about whether, when and how findings are disclosed.
  • We do not alert stakeholders or the public without explicit instruction from the client.
  • In the case of legal obligations, we inform the customer so they can take the appropriate action themselves.

7. Intellectual Property

  • We respect intellectual property rights of customers and third parties.
  • We do not appropriate source code or proprietary techniques.
  • We clearly distinguish between client source code and our own tools or solutions.
  • We properly attribute source code and third-party tools used in our work.
  • We protect our own intellectual property and proprietary methodologies.

8. Competitive practices

  • We compete based on quality, value and expertise.
  • We do not make false or misleading claims about competitors.
  • We do not attempt to access proprietary methods or competitor tools.
  • We respect confidentiality agreements with former clients when working with competitors.
  • We avoid anti-competitive practices.

9. Social Media, External Communications and Secrecy

  • We never reveal which clients we work with or have worked with in any external context without explicit written consent (LinkedIn!).
  • We do not share findings, results or details of projects on social media, during conferences, in private conversations or in interactions with other clients.
  • We make no comments that may implicitly or explicitly suggest that we work or have worked with specific clients in any social or professional context.
  • We are reluctant to share technical details that, even without client reference, can be traced to specific projects.
  • We avoid sharing opinions about the security status or code quality of products/services we may have audited, regardless of the setting (online, during presentations, in informal conversations).
  • When sharing general expert knowledge, we ensure that it is not traceable to specific clients or projects.
  • We maintain the same professional standards in all environments, including social media, conferences, networking events, private conversations and within circles of friends.
  • We understand that confidentiality is a core aspect of our service that extends to all professional and personal interactions.

10. Compliance and Governance

  • We comply with all applicable laws and regulations.
  • We maintain appropriate business licenses and certifications.
  • We maintain clear retention periods and do not retain customer data, source code, and audit results longer than strictly necessary for the provision of services or required by law.
  • We have procedures in place for the secure disposal of customer data upon expiration of the established retention period.
  • We enforce this code of conduct through internal governance structures.
  • We periodically review and update this Code of Conduct to reflect evolving standards and practices.

Implementation

  • All employees and contractors must recognize and comply with this code.
  • A confidential channel is maintained for questions and reporting ethical or other concerns.
  • Violations of this code are subject to disciplinary action.
  • We encourage customers and partners to provide feedback on our adherence to these principles.

Conclusion

We believe that adherence to this Code of Conduct not only ensures the highest quality of service to our customers, but also helps build trust in the software industry and promote the state of software security for the benefit of society as a whole.