One would think that, if the company that said customer is approaching has the reputation worthy of a high-profile client approaching them, said reputation should be sufficient alongside a demonstration of how their software works. Releasing the source code, especially to an entity that has a track record of what could, at its most generous, be considered double dealing, when said source code is the basis upon which your other clients depend for their security... well, that seems foolish, at best. This is why the company I work for has a multi-tier system in place for new hires that have access to this sort of thing - several rounds of interviews, background checks (including fed security clearances etc), checking and interviews with references (personal and professional), etc. Sure, you aren't going to catch every potential issue with 100% certainty... but there are ways to mitigate the risk. Giving away the keys to the kingdom... not exactly a good way to keep your software secure.