Requesting the source code and/or having access to it is really meaningless unless you have the skill and capabilities to compile it *and* use it. There is no sure way to know that the source code in your left hand is what was used to compile the binary in your right hand.
Even if you compile your left hand into your right hand. See Ken Thompson's "Reflections On Trusting Trust" (http://www.acm.org/classics/sep95/). To complete the references, Reference 4 ("An unknown Air Force document") is Karger & Schell's paper on a Multics pen-test, which is available at http://www.acsac.org/2002/papers/classic-multics-orig.pdf Karger and Schell did a "30 years later" retrospective, also available at http://www.acsac.org/2002/papers/classic-multics.pdf Between the India/Huawei thing and the MS05-039 mess, this is a good time for everybody who hasn't read all 3 of them to read them - under 40 pages for all 3, and the 24 pages of the first Karger&Schell you can probably skim.....)