Code of ethics

How I work, and what I won't do.

Offensive security is a trust profession. These are the principles I hold myself to on every engagement - independent, contract, or full-time.
01
Authorisation first

I only test systems I have explicit, written permission to test. No grey-area "they probably wouldn't mind" engagements. No surprise discoveries.

02
Scope is sacred

In-scope assets are the only things I touch. Out-of-scope means out-of-scope, even if a finding looks tempting. Scope changes happen in writing.

03
Findings stay confidential

Engagement detail, vulnerabilities, and client identities are confidential. Anything I share publicly is sanitised, redacted, and approved.

04
Disclose responsibly

Critical findings reach the client inside hours, never buried in a final report. Public disclosure waits until remediation has had a fair chance.

05
Do no avoidable harm

Tests are run with rate limits, off-hours coordination, and rollback plans. Production access is treated as a privilege, not a permission slip.

06
Be honest about uncertainty

If I'm not sure a vulnerability is exploitable, I say so. False positives waste your team's time as much as missed criticals do.