// CODE OF ETHICS

Code of Ethics

A single-page agreement for lawful, ethical, authorized, and constructive cybersecurity research at Vexel.

01

Purpose

I am joining Vexel to learn, teach, research, and contribute to cybersecurity, software development, vulnerability research, and public-interest security work. I understand that cybersecurity skills can be used for both protective and harmful purposes. I agree to use my skills only for lawful, ethical, authorized, and constructive activities.

02

General Ethical Commitment

I agree to:

  1. Act lawfully, honestly, professionally, and in good faith.
  2. Use cybersecurity knowledge to improve security, safety, education, and public benefit.
  3. Respect privacy, confidentiality, property rights, and intellectual property rights.
  4. Avoid causing harm to systems, networks, users, organizations, or the public.
  5. Follow all applicable laws, regulations, contracts, terms of engagement, and organizational policies.
  6. Report unsafe, unauthorized, illegal, or unethical activity to organization leadership.
03

Authorization Requirement

I will not access, test, scan, exploit, modify, disrupt, or attempt to compromise any computer, network, device, account, application, cloud environment, or data unless I have clear authorization. Authorization must be one of the following:

  1. A written agreement, rules of engagement, statement of work, bug bounty policy, vulnerability disclosure policy, or other documented permission.
  2. A lab, CTF, sandbox, training environment, or system intentionally provided for testing.
  3. A system that I personally own or have explicit permission to test.
04

Scope and Rules of Engagement

For any authorized test, assessment, bug bounty, research project, or client engagement, I agree to stay within the approved scope. I will not:

  1. Test systems, domains, IP addresses, accounts, devices, employees, or third parties outside the approved scope.
  2. Exceed approved testing methods, time windows, rate limits, or technical boundaries.
  3. Use destructive techniques unless explicitly approved in writing.
  4. Conduct social engineering, phishing, physical security testing, denial-of-service testing, malware deployment, credential attacks, persistence, lateral movement, or data exfiltration unless explicitly authorized in writing.
  5. Continue testing after authorization is revoked, the engagement ends, or I am asked to stop.
05

Prohibited Conduct

I agree that I will not, under any circumstances connected to Vexel:

  1. Gain or attempt to gain unauthorized access to systems, networks, accounts, data, devices, or facilities.
  2. Steal, sell, leak, publish, trade, or misuse credentials, tokens, API keys, private keys, session cookies, personal data, confidential data, or proprietary information.
  3. Deploy malware, ransomware, spyware, botnets, backdoors, credential stealers, destructive payloads, or unauthorized persistence mechanisms.
  4. Perform denial-of-service attacks or intentionally degrade the availability of systems or networks.
  5. Intercept, monitor, sniff, record, or inspect network traffic without authorization.
  6. Masquerade as another person, organization, employee, vendor, customer, or system without authorization.
  7. Use organization resources to harass, threaten, extort, stalk, dox, defame, intimidate, or harm others.
  8. Use discovered vulnerabilities for personal gain, coercion, extortion, retaliation, or public embarrassment.
  9. Publicly disclose vulnerabilities before completing the organization's approved disclosure process.
  10. Use the organization's name, logo, email, infrastructure, reputation, or relationships for unauthorized research, commercial activity, or personal projects.
  11. Violate export controls, sanctions, privacy laws, computer crime laws, intellectual property laws, or contractual obligations.
  12. Misrepresent my role, authority, findings, credentials, or affiliation with Vexel.
06

Vulnerability Research and Disclosure

When participating in vulnerability research, I agree to follow responsible and coordinated disclosure practices. I will:

  1. Minimize access to data and only collect what is necessary to prove the vulnerability.
  2. Avoid viewing, copying, downloading, modifying, deleting, or transmitting sensitive data unless explicitly authorized.
  3. Stop testing and notify leadership if I accidentally access sensitive data, production data, personal information, secrets, credentials, or systems outside scope.
  4. Document findings accurately, professionally, and without exaggeration.
  5. Give affected vendors, owners, clients, or maintainers a reasonable opportunity to investigate and remediate issues before public disclosure.
  6. Follow any applicable vulnerability disclosure policy, bug bounty rules, client rules of engagement, or legal agreement.
  7. Coordinate external communications through approved organization leadership unless I am explicitly authorized to communicate directly. I will not threaten disclosure, demand payment, withhold details for leverage, or imply that a vendor or system owner must provide compensation in exchange for silence.
07

Client, Partner, and Hardware Research

If Vexel receives hardware, software, cloud access, credentials, test accounts, documentation, or other materials from a company, sponsor, nonprofit, school, government entity, or partner, I agree to use those resources only for the approved purpose. I will not:

  1. Reverse engineer, modify, publish, resell, transfer, or retain provided materials except as authorized.
  2. Test connected services, customer environments, production infrastructure, mobile apps, APIs, cloud backends, or third-party systems unless they are clearly included in scope.
  3. Publish vulnerability details, exploit code, photos, teardown results, firmware, binaries, keys, or confidential information without approval.
  4. Contact a company as a representative of Vexel unless authorized to do so.
08

Data Handling and Confidentiality

I agree to protect all sensitive information I encounter, including but not limited to:

  1. Personal information.
  2. Client information.
  3. Credentials, secrets, keys, and tokens.
  4. Vulnerability reports.
  5. Exploit details.
  6. Internal organization documents.
  7. Unreleased software, firmware, or hardware information.
  8. Donor, sponsor, student, member, or volunteer information. I will store sensitive data only in approved locations, use appropriate access controls, and delete or return data when instructed. I will not copy sensitive data to personal devices, public repositories, personal cloud storage, Discord, Slack, email, or paste sites unless explicitly approved.
09

Use of Organization Resources

Organization resources may include labs, cloud accounts, domains, servers, VPNs, tools, email accounts, source code repositories, hardware, credentials, funding, sponsor-provided equipment, and communication platforms. I agree to use these resources only for approved organization activities. I will not use organization resources for:

  1. Unauthorized scanning, exploitation, or attacks.
  2. Personal commercial work.
  3. Cryptocurrency mining.
  4. Piracy or copyright infringement.
  5. Harassment or abuse.
  6. Political campaign activity prohibited for 501(c)(3) organizations.
  7. Any activity that creates legal, financial, reputational, or operational risk for the organization.
10

Training, CTFs, and Labs

I understand that cybersecurity training must be conducted in safe and authorized environments. I agree that offensive security practice must be limited to:

  1. CTF platforms.
  2. Intentionally vulnerable machines.
  3. Organization-approved labs.
  4. Personal systems I own.
  5. Systems where written permission has been granted. I will not use techniques learned in training against real-world systems without authorization.
11

Software Development Ethics

When contributing code, tools, scripts, documentation, or research to Vexel, I agree to:

  1. Follow secure coding practices.
  2. Avoid intentionally introducing backdoors, hidden accounts, malicious logic, or insecure defaults.
  3. Respect software licenses and intellectual property rights.
  4. Avoid committing secrets, credentials, tokens, or sensitive data to repositories.
  5. Clearly label proof-of-concept code and restrict access when misuse is likely.
  6. Follow project maintainers' contribution, review, and approval processes.
12

Conflicts of Interest and Nonprofit Integrity

I understand that Vexel is intended to operate for charitable, educational, scientific, and public-interest purposes. I agree not to use the organization for improper personal benefit, private gain, undisclosed commercial activity, or preferential treatment. I will disclose any actual or potential conflict of interest involving sponsors, vendors, clients, employers, family members, paid work, ownership interests, or personal financial benefit.

13

Reporting Requirement

If I become aware of illegal, unsafe, unauthorized, or unethical activity connected to Vexel, I agree to promptly report it to organization leadership. This includes:

  1. Unauthorized access.
  2. Accidental access to sensitive data.
  3. Out-of-scope testing.
  4. Lost or exposed credentials.
  5. Misuse of tools or infrastructure.
  6. Unapproved disclosure of vulnerabilities.
  7. Harassment, threats, or coercive behavior.
  8. Requests from third parties to perform suspicious or unauthorized work.
14

No Legal Authority or Protection

I understand that membership in Vexel does not give me special legal authority, immunity, permission to test third-party systems, or permission to violate laws or policies. I understand that claiming to be doing "research," "education," "pentesting," or "ethical hacking" does not make an activity lawful or authorized.

15

Discipline and Removal

Violation of this agreement may result in one or more of the following:

  1. Warning or retraining.
  2. Removal from a project or event.
  3. Suspension or termination of membership.
  4. Revocation of access to organization resources.
  5. Reporting to affected organizations, schools, sponsors, platforms, law enforcement, or other appropriate parties.
  6. Civil, criminal, academic, or employment consequences.
16

Acknowledgment

By signing this agreement, I acknowledge that:

  1. I have read and understand this Code of Ethics and Acceptable Use Agreement.
  2. I agree to follow it at all times when participating in Vexel activities.
  3. I understand that I am personally responsible for my actions.
  4. I understand that violating this agreement may result in removal from the organization and possible legal consequences.
  5. I understand that this agreement may be updated, and continued participation may require signing the updated version.