There are many ways to learn security best practices. You can attend a training session, read documentation, complete an annual compliance module, or sit through a reminder about why locking your computer matters. All of these things have value, but at Coveo, there has also been a much more informal way to learn the same lesson.

It is called the donut.
For people who have never experienced it, the concept is simple. If you leave your laptop, or sometimes your phone, unlocked and unattended, someone may use it to post “DONUT” in a public Slack channel. After that, they lock your device for you. You have now been donuted, and you owe donuts to the office.
It sounds like a joke, and in many ways it is. But it is also one of the most effective security awareness systems I have ever seen. When I joined Coveo in 2017, the tradition was already well established. It was not presented as a formal onboarding rule, but you learned about it quickly. Someone would leave their laptop open,and a public “DONUT” would appear in Slack. People would react, and the victim would eventually show up with boxes from Tim Hortons.

At Coveo, we take security seriously.It’s not only about the systems we build or the data our customers trust us with. It’s also about behavior. Security is part of the way people work every day, including the small moments that can seem harmless: stepping away for coffee, walking to a nearby desk, or leaving a phone unattended for a minute.
The donut tradition makes that behavior visible. It’s not severe, and it’s not meant to be punitive in a corporate sense. Nobody‘s opening a formal incident because someone forgot to lock their screen. But the experience is memorable. You see your name attached to a public donut, you hear people laugh, and you bring donuts.
The next time you stand up from your desk, locking your computer becomes a reflex.
The Local Rules
Like many strong traditions, donut culture is local. In the Quebec and Montreal offices, people would usually post the donut in the office Slack channel. The message could be simple, dramatic, or unnecessarily theatrical, but the core content was always the same: DONUT.

Behind the scenes, your name is added to a leaderboard of people who had been donuted. Because this is Coveo, someone obviously built a leaderboard. When you give software people a recurring process and a bit of shame to quantify, a ranking system is never far behind.
The leaderboard made the tradition visible and gave it a sense of continuity. Once your name is there, you are part of the Coveo story. The debt was usually paid with two dozen fresh donuts. In Canada, this naturally meant Tim Hortons became a key infrastructure provider in the system.

Over time, we also started accepting charity donations as a way to clear the debt. Why? Because at some point the amount of sugar involved was becoming its own workplace risk.
Slash Donut
As the tradition grew, the manual process became tedious. Opening Slack, finding the right channel, writing the message, recording the event, and updating the leaderboard created too much friction for something that had become part of daily office life.
So we built /donut.
The command makes the process easier and more official. Instead of manually tracking everything, it records the donut and updates the system. It’ssimple, useful, and very representative of how Coveo culture works: if a ritual becomes repetitive enough, someone will eventually automate it.
There‘is something funny about building an internal tool for pastries and public accountability, but it also made sense. The tradition had become part of how people reminded each other to follow a basic security habit, so the tooling followed naturally.
Testimonials
Some of the best donut stories are not really part of the official rules. They are the stories people remember, retell, and use as examples of how far Coveo culture goes.
One colleague built a setup with an RFID tag so that when they walked away from their computer, it would automatically lock. It was a practical countermeasure, and probably one of the cleanest ways to avoid being donuted. It also showed how seriously some people took the challenge. At that point, it was not just about remembering a keyboard shortcut anymore. People were engineering their way out of donut debt.
Laurent, our CEO, also created a defensive setup of his own, back in the early days of the company. If someone tried to donut him, the system would take a picture and trigger a loud alarm. That story says a lot about the culture. Donut was not just something happening quietly in a corner of the office. It had executive sponsorship, and apparently that sponsorship came with sound effects.
Another story involves Benji, a USB keyboard, and a suspicious amount of preparation. The target was a colleague whose computer could be reached, but not easily used in the traditional way. Benji plugged a USB keyboard into their colleague’s machine and executed the entire donuting sequence from memory without looking at the screen: Windows + R, open Outlook, create a new message, navigate the interface, and send the donut. Meanwhile, another colleague distracted the target. It was funny because of how much planning went into something so ridiculous, but it was also a real reminder that an unattended device is not only vulnerable through its screen. Ports, peripherals, shortcuts, and other interfaces can all become part of the attack surface.
There was also a Covean who didn’t want to pay his donut debt. Maybe he forgot, maybe he resisted, or maybe he thought the system would eventually move on. It did not. Someone came in during the weekend and built a huge wall art piece out of Post-its. It was an 8-bit version of the debtor’s face, displayed in the office as a public reminder that the debt remained unpaid. There were probably easier ways to remind someone to bring donuts, but creating pixel art was much more memorable.

Finally, there was the Siri loophole. One person got donuted through Siri on their phone, without the phone technically being unlocked. This was before voice validation and speaker recognition became common, so someone was able to trigger an action through the assistant. This led to a lot of debate. Was it legitimate? Did it count if the phone was locked? Was Siri part of the available attack surface, or was that outside the spirit of the donut? The disagreement was probably more valuable than the verdict, because it forced people to think about what “locked” actually means.
At one point, someone donuted a colleague while this colleague was donuting him.

Why Donuting Works
Donut culture works because it is social. Most security rules are invisible until something goes wrong. Donut culture makes the behavior visible before a real problem happens. It creates a small consequence, shared by the group, attached to a behavior that everyone understands.
It also keeps the tone right. The goal is not to humiliate people. It’s to create a reflex. You aren’t a bad person because you forgot to lock your computer, but you did present an opportunity. The office will help you remember that.
There is also something very Coveo about the whole thing. It combines humor, accountability, automation, competition, creativity, and just enough chaos to make the lesson stick. It is not a top-down campaign with posters and slogans. It is a living tradition, shaped by the people who participate in it.
Most of us don’t think deeply about locking a laptop. But when it is left unlocked, and someone posts DONUT, it dominoes. Someone else builds a slash command, another builds a trap, and a third person creates an 8-bit Post-it mural. In the end, we all debate the legality of Siri. And as a company, we become more mindful.

Lock Your Computer
Coveo’s donut culture is funny, but it is not random. It exists because security is everyone’s responsibility, and because habits are easier to build when they are reinforced by the people around you.
A locked computer is a small thing. It takes a second. But it says something about the way you work. It says you are aware, careful, and respectful of the trust placed in you.
If you forget, the system is ready. Someone will notice, post, and lock your computer. Sooner or later, you’ll be standing in the office with two dozen donuts, officially wiser than you were before.

