As security professionals and advocates, we are aware that many people entrust us with their protection through conducting security reviews, publishing educational content and many other means of helping protect protocols and users. If we abuse this trust in any way, we lose our purpose of being trustworthy protectors for others that need our help. So let us act accordingly and take this responsibility seriously. No one is perfect but we should always endeavor to do our best when helping others and be accountable for the commitments we make.
We do not exploit our unique skillsets or information advantage in any way to gain a malicious advantage over others. Our aim is always to achieve the best possible result for those that we help whether as a personal contributor or commercial business. Exploiting a project without consent or misusing information entrusted to you by a client or through your participation in the Security Alliance is not tolerated and will result in your removal from all Security Alliance iniatives. Simply put: Don't be a dick!
In one sentence: We handle information carefully, as you would expect from security professionals. We do NOT share sensitive information related to a potential exploit that may be live UNLESS it is absolutely necessary to prevent an impending attack. We should always assume that information is confidential unless we have knowledge that the owner or another party has made the information public or has the right to release it. We also practice good information security in our own day-to-day work by doing our absolute best to ensure that our devices, communication channels and working environment are secured and safe from intrusions that could expose sensitive information entrusted to us.
We do not lie or mislead others about our accomplishements, abilities, or affiliations. As security professionals, we are often assumed to be experts in our field by others and must never exploit that to mislead others for personal or commercial gain. We must also be honest in how we report security findings and publish research. We NEVER misuse the work of others through inproper attribution or otherwise representing someone else's work as our own.
We are respectful to colleagues, clients, users and our competitors. We do not denegrate or disparage others, even when they make mistakes, although we may provide constructive critiques for the benefit of others. We truthfully and respectfully represent other security professionals and organizations, even when we have competing interests or disagreements. As participants in the Security Alliance, we ALL share the same goal of protecting others.
We understand that security is always an evolving landspace and that, as security professionals and advocates, we have a duty to stay informed of the latest exploits, trends and best practices. We do not shy away from opportunities to learn and grow our understanding of the technologies we are asked to protect and the types of attacks that might be used against them. When we learn something new that can be used to protect others from attack, we do our best to share what we know, even when it might not be in our personal or commercial interest to do so. We recognize that knowledge of new exploits may spread quickly and we must be willing to learn it, share it responsibly, and act on it just as quickly to protect others to the best of our ability.