Code of Conduct

Our commitment to ethical principles, professional integrity, and responsible cybersecurity practices.

⚖️ Purpose and Scope

This Code of Conduct establishes the ethical principles and professional standards that govern the behavior of all Find The Breach personnel, including employees, contractors, officers, and directors ("Team Members"). As a cybersecurity company entrusted with sensitive vulnerability data, we hold ourselves to the highest standards of integrity, professionalism, and ethical conduct.

This Code applies to all business activities, interactions with customers, partners, competitors, regulatory authorities, and the general public. Compliance with this Code is a condition of employment or engagement with Find The Breach.

Effective: February 1, 2026 • Reviewed annually by the executive team • SOC 2 CC1 • ISO 27001 A.5

🛡️ Core Ethical Principles

1. Integrity

We conduct all business honestly and transparently. We do not misrepresent our capabilities, findings, or results. Vulnerability scan results and security assessments are reported accurately and without manipulation. We never fabricate, exaggerate, or minimize security findings.

2. Confidentiality

We treat all customer data, vulnerability findings, and security assessment results as strictly confidential. Team Members shall not disclose, discuss, or share customer security information with unauthorized parties. This obligation extends beyond employment or engagement with Find The Breach.

3. Responsible Disclosure

When we discover vulnerabilities — whether in customer systems or third-party software — we follow responsible disclosure practices. We coordinate with affected parties before any public disclosure. We never exploit discovered vulnerabilities for personal gain or any purpose beyond authorized testing.

4. Authorization and Consent

We only scan, test, or assess systems for which we have explicit written authorization. We respect the boundaries of authorized testing and do not exceed the agreed-upon scope. Unauthorized access to any system is strictly prohibited.

5. Data Protection

We protect personal data in accordance with applicable privacy laws (GDPR, CCPA/CPRA, and others). We minimize data collection, implement appropriate technical safeguards, and delete data when it is no longer needed for legitimate business purposes.

Professional Standards

Acceptable Conduct

  • Treat all colleagues, customers, and partners with respect and professionalism
  • Report security incidents, vulnerabilities, and policy violations promptly
  • Maintain accurate records and documentation
  • Complete assigned security awareness training on schedule
  • Follow established change management procedures
  • Use company resources (including systems, data, and tools) responsibly and only for authorized purposes
  • Cooperate with internal and external audits

Prohibited Conduct

  • Unauthorized access to customer systems, data, or internal systems
  • Exploiting vulnerabilities for personal gain, regardless of authorization status
  • Sharing customer vulnerability data or security findings with unauthorized parties
  • Discrimination, harassment, or creating a hostile work environment
  • Falsifying security scan results, reports, or compliance documentation
  • Using company resources for illegal activities or personal projects without authorization
  • Retaliating against individuals who report concerns in good faith
  • Circumventing security controls or monitoring systems

⚠️ Conflict of Interest

Team Members must avoid situations where personal interests conflict, or appear to conflict, with the interests of Find The Breach or its customers. This includes:

  • Financial interests: Holding significant financial interests in companies that are customers, competitors, or suppliers of Find The Breach
  • Outside employment: Engaging in outside employment or consulting that creates a conflict with Find The Breach responsibilities, particularly in cybersecurity or related fields
  • Personal relationships: Making business decisions influenced by personal relationships rather than the best interests of the company and its customers
  • Gifts and entertainment: Accepting gifts, entertainment, or other benefits from customers, vendors, or partners that could influence or appear to influence business decisions (nominal gifts under $100 are generally acceptable)

Any actual or potential conflict of interest must be disclosed to management immediately. Undisclosed conflicts may result in disciplinary action.

🔒 Confidentiality Obligations

All Team Members are bound by confidentiality obligations that extend to:

  • Customer vulnerability scan results, security findings, and remediation plans
  • Customer business information, infrastructure details, and system configurations
  • Find The Breach proprietary scanning methodologies, algorithms, and techniques
  • Internal security policies, incident reports, and compliance documentation
  • Employee personal information and compensation details
  • Business strategies, financial information, and partnership details

Confidentiality obligations survive the termination of employment or engagement. Former Team Members must return or destroy all confidential information upon departure and refrain from disclosing such information indefinitely.

📢 Reporting Concerns

Find The Breach encourages all Team Members to report any violations or suspected violations of this Code of Conduct, company policies, or applicable laws and regulations. Reports may be made through:

Non-Retaliation Policy: Find The Breach strictly prohibits retaliation against any individual who reports a concern in good faith. Retaliation includes termination, demotion, suspension, threats, harassment, or any other adverse action. Reports of retaliation will be investigated and may result in disciplinary action up to and including termination.

All reports will be treated with appropriate confidentiality. Investigations will be conducted promptly, thoroughly, and fairly.

Disciplinary Process

Violations of this Code of Conduct may result in disciplinary action proportionate to the severity of the violation, including:

  • Verbal warning: For minor, first-time violations
  • Written warning: For repeated minor violations or moderate violations
  • Suspension: For serious violations pending investigation
  • Termination: For severe violations, including unauthorized data access, falsification of results, or breaches of customer confidentiality
  • Legal action: For violations that constitute criminal offenses or cause material harm

All Team Members will be given the opportunity to respond to allegations before disciplinary action is finalized, except in cases where immediate suspension is necessary to protect customers or the company.

📋 Compliance and Training

All Team Members are required to:

  • Read and acknowledge this Code of Conduct upon joining Find The Breach
  • Complete annual security awareness training covering this Code and related policies
  • Participate in role-specific training for handling sensitive security data
  • Stay informed of updates to this Code and related company policies
  • Comply with all applicable laws and regulations, including the Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act 1990, GDPR, CCPA/CPRA, and industry-specific requirements

This Code of Conduct is reviewed annually by the executive team and updated as necessary to reflect changes in legal requirements, industry standards, and organizational needs. The most recent review date is noted at the top of this document.

🔗 Related Policies

→ Information Security Policy → Acceptable Use Policy → Access Control Policy → Data Classification Policy → Incident Response Plan → Change Management Policy → Responsible Disclosure Program → Privacy Policy → Legal Hub → Trust Center