BLACK BAG SECURITY offense-led security for high-consequence systems

Policies

Plain-language policy surface for engagements: anti-bribery, confidentiality and data handling, and disclosure.

Anti-bribery posture

No improper payments, gifts, or facilitation payments. Compliance with applicable anti-corruption laws is mandatory.

Confidentiality model

Client-owned data, least-collection, controlled storage and sharing, and retention by agreement.

Disclosure overview

Coordinated disclosure by default, with client approvals and situational timelines.

Anti-bribery

  • We comply with applicable anti-corruption and anti-bribery laws in the jurisdictions where we operate.
  • We do not offer, request, authorize, or accept improper payments, kickbacks, or facilitation payments.
  • Gifts or hospitality, if any, must be lawful, modest, and never tied to procurement or engagement outcomes.
  • Suspected violations are escalated internally and reported through agreed client channels when required.

Confidentiality and data handling

  • Client data and evidence remain client-owned.
  • We collect only what is necessary to validate findings and prove impact.
  • Retention and deletion windows are set by written agreement.
  • Artifacts are stored and transferred through controlled, approved channels.
  • Access to client material is limited to authorized personnel on a need-to-know basis.
  • Use of AI tools with client data requires explicit written approval and agreed boundaries.

Disclosure policy overview

  • We use coordinated disclosure and stakeholder alignment by default.
  • Disclosure plans are scoped with client approval before external communication.
  • Timelines are situational and depend on operational risk, remediation status, and legal constraints.
  • We do not publicly disclose client findings without written permission unless disclosure is required by law.

Responsible conduct

  • Work is performed only within authorized scope and approved test windows.
  • Production safety, stop conditions, and escalation paths are enforced throughout execution.
  • Client identity and engagement details are not shared publicly without written permission.

Trust practices ->

Policy questions ->