Or just the final code or maybe have access to your servers or other assets - and without a full security check / wipe, you can't know if they created a way in - or they threaten to release your code publicly, or sell it, etc..
People actually accept executable, possibly backdoored code and/or assets from random-internet-site-freelancers – then install it on their production sites _without_ security auditing it?
(I know - I _shouldn't_ be surprised, I suspect significant double-digit percentages of WordPress sites have themes installed which have some mysterious "<!-- Don't remove this! required for mobile menu to work! --> <?php echo eval(base_64_decode('foobazbah')) ?> type thing in footer.php…)
Most people I know who have used odesk/elance simply don't have the ability to perform an audit.
They are mostly writers, photographers, non-technical entrepreneurs and so on who have outsourced some development tasks related to their online activities. They personally have no ability to assess the code apart from how it looks in the front end. They could hire a second person to do the audit for them but now they have two people to worry about getting screwed by...
Just to balance the concept, usually people who have maintained good ratings for a long time, don't do this. I have worked for like 5-6 years at odesk part time, done around 40 jobs of varied sizes (hourly as well as fixed prices), never even once held back code or any thing, and barely once received some what negative feedback in which case i believe it was still my fault. So all sorts of people exist and work online. Those who have build reputations over years value it far more than the money, and an employer can easily trash the reputation with feedback. That being said employers from the western world are generally nice or may be it was just my experience :)
I don't understand how they would do this. On oDesk, both employer and employee only have the opportunity to rate one another after the work is completed and the project is closed.
