When I last looked (as a consulting dev in a bank or three, horrified) absolutely they had not!

If this was in the US, all financial institutions need to audit their code to comply with NIST SP 800-53.

If they haven’t, it would be ethically dubious for you to not report it.

	▲	jacquesm 7 minutes ago \| parent \| next [-]
		In theory there is no difference between theory and practice, but in practice there is. > If they haven’t, it would be ethically dubious for you to not report it. I can report all I want, someone needs to act on that report for it to have an effect. There are people out there who think that some static analysis tool plugged into their CI/CD pipeline is the equivalent of a code audit.
	▲	drw85 an hour ago \| parent \| prev \| next [-]
		In my experience, most devs and companies don't consider the dependencies they load 'their' code. They only look at the code they write, not everything they deploy.
	▲	DamonHD an hour ago \| parent \| prev [-]
		These were all multinationals, with very significant US presence.