--- title: "Fact-Check Policy" date: 2026-05-04 author: "Barry Elad" --- # Fact-Check Policy Cybersecurity reporting fails most often not because writers invent things, but because they propagate someone else’s mistake without checking. SQ Magazine treats every breach figure, CVE, and vendor claim as untrusted input until it has passed the verification stack described below. This page is the companion to the [Publishing Principles](https://sqmagazine.co.uk/publishing-principles/), [Ethics Policy](https://sqmagazine.co.uk/ethics-policy/), and [Corrections Policy](https://sqmagazine.co.uk/corrections-policy/). ## Scope The verification stack applies to every factual claim in an SQ Magazine article. “Factual claim” means anything a reader could later quote or act on. In practice that covers: - **Reported figures:** breach counts, ransomware payments, dwell times, recovery costs, vulnerability totals, patch rates, attack-traffic volumes - **Identifiers:** CVE numbers, KEV entries, NVD/CVSS scores, MITRE ATT&CK technique IDs, MISP tags, CWE codes - **Dates:** disclosure, patch availability, exploit-in-the-wild observations, advisory revisions - **Attributions:** who said what, in which advisory, vendor bulletin, court filing, or peer-reviewed paper - **Derived figures:** calculations from primary data with the underlying inputs and the arithmetic shown Editorial analysis, forward-looking assessment, and opinion are flagged separately. When we draw a conclusion, we cite the evidence behind it. ## Source Hierarchy We rank sources by how close they sit to the original information. TierExamplesUsePrimary, technicalVendor security advisories, NVD entries, CISA KEV catalogue, CERT/CC reports, RFCs, IETF drafts, IEEE papersDefault for technical claimsPrimary, governmentalCISA advisories, NCSC guidance, ENISA reports, FBI IC3 statistics, court filings, regulatory ordersDefault for incident attribution and statutory claimsPrimary, commercialDirect vendor reports (Microsoft, Cloudflare, Mandiant, CrowdStrike, Palo Alto Unit 42), with stated methodologyUsed with the methodology disclosed in our articleSecondary, acceptedCoverage by an outlet that itself cites a tier above and links to itTreated as a pointer; we then cite the primary directlySecondary, rejectedAggregator pages, marketing decks, breach-summary listicles, vendor press releases without underlying data, AI-generated summariesNot usedIf a competitor breaks a story, we name them and link to the original story, then trace and cite the primary source ourselves. ## The Verification Stack The stack runs in three phases. Each phase has hard gates: an article cannot move past a phase until every claim in it has passed. ### Phase 1: Capture (deterministic, automated) - **Fetch and hash.** Every source URL is fetched, the publication date is recorded, and a SHA-256 of the page is stored. Re-fetching later detects silent edits - **Excerpt extraction.** The verbatim sentence or paragraph that supports each claim is captured before the article is drafted - **Claim tagging.** Every factual sentence in the draft links to the excerpt that backs it. Untagged factual sentences fail this gate ### Phase 2: Cross-check (mixed, automated and reviewed) - **Verbatim match.** Quoted strings in the article must match the captured excerpt character for character - **Math check.** Every derived figure is recomputed from the underlying inputs; any mismatch blocks publication - **First-pass classifier.** Each claim is checked against its excerpt and returned with one of supported, uncertain, contradicted, plus a confidence score - **Second-pass re-check.** Numerical claims, superlatives, and any first-pass result below threshold are re-run against a stricter check - **Source-tier upgrade.** Any claim leaning on a secondary source is re-checked against a primary equivalent before publishing ### Phase 3: Sign-off (human, named) - **Volatility refresh.** For active incidents, zero-days, and live ransomware campaigns, any source older than 48 hours is re-fetched before publishing - **Subject-matter review.** A named SQ Magazine reviewer with relevant credentials reads the piece end-to-end. Reviewer name and credentials are visible on the published article - **Audit log archived.** The full verification log (every claim, source, decision, score) is archived against the article ID for later reference ## Threshold and Failure Handling Each claim carries an internal confidence grade. The publish threshold is fixed; claims below it cannot ship. If the verification stack flags a claim mid-process, the writer has three options: re-source from a higher-tier reference, rewrite the claim narrower so the existing source supports it, or remove the claim. There is no fourth option. ## Independence SQ Magazine accepts no compensation from vendors, security firms, MSSPs, or platforms in exchange for coverage. Reviewers disclose relevant employment or advisory positions on their author profiles. Where a reviewer has a conflict, the article is reassigned. Sponsored content is labelled and produced separately from editorial; it is never published as editorial. ## Refresh Cadence Cyber data ages quickly. Evergreen statistics articles are revisited on a fixed schedule. News articles are updated when material new information lands. Each article carries its last-reviewed date. ## Corrections Send factual-error reports to . We respond to every correction request, log the change against the article, and refresh the audit log. Full process: [Corrections Policy](https://sqmagazine.co.uk/corrections-policy/). *Last reviewed: 5 May 2026.*