Cybersecurity reporting carries unique responsibilities. Poor coverage can mislead defenders,
tip off attackers, expose victims, or undermine the trust between security researchers and
the broader community. This policy sets out how Cyber Newsroom approaches these challenges.
Our goal is to be useful to security defenders and practitioners — not to create panic, enable
threat actors, or embarrass victims. When in doubt, we err on the side of caution.
What We Cover
Cyber Newsroom focuses on cybersecurity content with clear relevance to practitioners:
- Disclosed vulnerabilities (CVEs, vendor advisories, researcher reports)
- Ransomware and extortion campaigns with public confirmation
- Nation-state and APT activity reported by credible threat intelligence sources
- Data breaches confirmed by affected organisations or authoritative third-party sources
- Malware analysis and threat actor TTP changes
- Security tool releases, patches, and mitigation guidance
- Regulatory and compliance developments affecting cybersecurity practice
- Geopolitical events with significant cyber dimensions
What We Do Not Cover
- Unconfirmed or unverified breach claims with no corroboration
- Content that would primarily benefit attackers rather than defenders
- Working exploit code or step-by-step attack instructions
- Personal information about individual victims of attacks
- Content that could be used to harass, dox, or harm individuals
- Pure rumour or speculation presented as fact
Editorial Standards
// WE DO
- Cite primary sources (NVD, vendor advisories, credible researchers)
- Distinguish confirmed fact from analysis and speculation
- Acknowledge uncertainty in attribution
- Report CVSS scores and affected versions accurately
- Include available mitigations and patches
- Label AI-generated content clearly
- Correct errors promptly and visibly
// WE DO NOT
- Sensationalise threat severity beyond source material
- Attribute attacks without corroborating evidence
- Name individual victims without public confirmation
- Republish ransom demands or stolen data
- Speculate about unannounced vulnerabilities
- Use scare language to inflate story importance
- Present AI opinion as expert human opinion
Vulnerability Disclosure Coverage
We cover vulnerabilities once they are publicly disclosed — either by the vendor,
the researcher, MITRE/NVD, or a CERT. We do not cover unpatched vulnerabilities that have not
been publicly acknowledged, as premature publication could endanger systems before defences are available.
For zero-day disclosures already public (e.g., via PoC code or active exploitation reports),
we cover the defensive posture: detection, containment, and workarounds. We do not provide
reproduction steps or weaponisable technical detail beyond what is necessary for defenders.
Threat Actor Attribution
Cyber attribution is inherently difficult and frequently contested. Our policy:
- We attribute only when a credible threat intelligence source has made a public attribution
- We note the confidence level of attribution ("with high confidence", "tentatively linked to", etc.)
- We distinguish between technical indicators and political attribution
- We do not repeat unsubstantiated attributions made by parties with obvious political interests
- We correct attributions when credible counter-evidence emerges
Data Breach Reporting
What We Report
Breaches confirmed by: (a) the affected organisation, (b) regulatory notifications (SEC, ICO, DPC filings),
(c) credible breach notification services with independent verification, or (d) law enforcement statements.
What We Omit
We do not publish: individual victim names from breach data, account credentials, payment card data,
personally identifiable information (PII) of private individuals, or content sourced directly from
dark web markets or ransomware leak sites.
Responsible Reporting on Active Incidents
During active incidents (ongoing ransomware, live exploitation), we:
- Avoid specifying which specific systems remain unpatched or unmitigated
- Delay technical detail that could assist active attackers
- Prioritise guidance that helps defenders over content that informs attackers
- Update articles as the situation evolves
Privacy in Security Reporting
Victims of cyber attacks — organisations and individuals — have privacy interests even when the
attack is newsworthy. We:
- Do not name individual employees, patients, or customers whose data was exposed unless they are
public figures acting in a public capacity
- Avoid publishing information that could re-victimise data breach victims
- Do not engage in or facilitate "breach hunting" — trawling stolen datasets to identify victims
- Comply with applicable data protection laws (GDPR, CCPA) in our own operations (see
Privacy Policy)
Source Diversity & Independence
Our content aggregates from a curated list of sources including independent researchers, vendor
threat intelligence teams, academic institutions, and specialist media. We maintain the following:
- No commercial relationships with vendors in exchange for coverage
- No sponsored content
- Source trust scores that downweight vendor press releases relative to independent research
- Multiple source corroboration before significant claims are reported as established fact
Corrections & Retractions
If a published article contains a material factual error, we will:
- Correct the error with a visible correction note and datestamp
- Retract the article in cases of severe inaccuracy or where correction is insufficient
- Notify us at contact@cybernewsroom.xyz
with "Correction Request" in the subject line