ACTIVE ADVISORIES
CVE-2026-1142CRITICALVolt Typhoon pre-positioning observed in five additional US utility networks— CISA AA26-148ACVE-2025-58801HIGHIvanti EPM unauthenticated SQLi — exploitation in the wild— Ivanti SAKEVAMBERCISA adds two Fortinet flaws to Known Exploited Vulnerabilities catalog— KEV-2026-05-26CVE-2026-0488CRITICALCisco IOS XE web UI RCE — patch released, mass-scanning detected— Cisco PSIRTBULLETINAMBERNCSC-UK warns of credential-stuffing wave targeting NHS supplier portals— NCSC UKCVE-2026-0991HIGHApache Tomcat path-traversal — proof-of-concept public— ASF securityKEVLOWPAN-OS GlobalProtect CVE-2024-3400 — vendor reports >98% patched— Palo Alto NetworksCVE-2026-1142CRITICALVolt Typhoon pre-positioning observed in five additional US utility networks— CISA AA26-148ACVE-2025-58801HIGHIvanti EPM unauthenticated SQLi — exploitation in the wild— Ivanti SAKEVAMBERCISA adds two Fortinet flaws to Known Exploited Vulnerabilities catalog— KEV-2026-05-26CVE-2026-0488CRITICALCisco IOS XE web UI RCE — patch released, mass-scanning detected— Cisco PSIRTBULLETINAMBERNCSC-UK warns of credential-stuffing wave targeting NHS supplier portals— NCSC UKCVE-2026-0991HIGHApache Tomcat path-traversal — proof-of-concept public— ASF securityKEVLOWPAN-OS GlobalProtect CVE-2024-3400 — vendor reports >98% patched— Palo Alto Networks
Raj "CipherGuard" Kumar Blog

Appearance

By Raj Kumar@cipherguard
Senior Threat Reporter · CipherGuard Investigations
Filed 2023-11-204 min read · 800 words
editorialaboutstandardssourcing

Editorial standards: what CipherGuard publishes, and how

This is the first post on CipherGuard, and it is the only one whose purpose is to set expectations rather than to report a story. If you have arrived here from one of our investigations, this is the page that explains the rules of the road. If you are a source, a vendor PSIRT, or another reporter, this is also the page to read.

CipherGuard is an independent two-person operation. I (Raj Kumar) cover threat actors, supply chain, and government incident response. My colleague Sana Mehta covers cloud security, the SaaS ecosystem, and the privacy / surveillance beat. We are based in London with regular reporting trips to Bangalore and a network of contributors in the US, Germany, and Singapore. The publication is funded by a small set of paid subscriptions (the Threat Briefing newsletter) and a single underwriter whose identity is disclosed on the About page.

What we publish

Four kinds of pieces, roughly in descending volume:

  • Investigations. Long-form, multi-source, document-backed reporting on a specific intrusion, threat group, vendor failure, or policy shift. Typical length 2,500–4,500 words. Typical reporting window 4–12 weeks. We aim for one a month.
  • Field reports. Hands-on technical work we have done ourselves — testing a class of product, walking a real proof-of-concept, benchmarking a defensive control. Typical length 1,200–2,200 words.
  • Briefings. Short, time-sensitive analyses of a fresh disclosure, advisory, or breach. Typical length 600–1,000 words. We do not publish briefings without at least one source beyond the original advisory.
  • Standing dashboards. Living pages updated as the underlying telemetry changes — currently a supply-chain scorecard, a tracked-threat-actor table, and a CVE coverage map. These do not appear in the article feed but are linked from the homepage.

What we do not publish: vendor press releases re-arranged into prose, threat-actor "profiles" assembled from secondary sources only, anything we cannot independently confirm with at least two non-vendor sources, and predictions.

How we source

Every CipherGuard report has at least three of the following:

  1. A named primary source, on the record. Where this is not possible for safety or legal reasons, we use an attributed pseudonym (e.g. Operator A in our Volt Typhoon coverage) and document the relationship in our internal records, which can be subpoenaed but will not otherwise be disclosed.
  2. A public document — court filing, regulatory disclosure, vendor advisory, leaked corpus with an established chain of custody.
  3. Independent technical evidence we have inspected ourselves — a packet capture, a binary, a configuration artefact, an SBOM, a SIEM extract.
  4. A corroborating second source who is not affiliated with the first.

Pieces with fewer than three of these do not run. Pieces that rely entirely on category 2 (public documents) are clearly labelled as Document analysis in the kicker.

We use MITRE ATT&CK technique IDs (e.g. T1078, T1190) wherever an attacker behaviour is described, so that our reporting can be machine-collated against other publications. We use full CVE-YYYY-NNNN format IDs and link every reference to NVD or, where the embargo is still in effect, to the vendor PSIRT page.

Corrections, updates, and the difference between them

A correction changes a factual claim that was wrong at the time of publication. Corrections are noted at the bottom of the article, with the date, the original text, and the corrected text. We never silently edit a published claim.

An update adds new information that has emerged since publication. Updates are timestamped and labelled [UPDATE] in the body, in chronological order at the appropriate point in the piece. The original text is preserved.

The corrections email is [email protected]. We commit to acknowledging within 48 hours and publishing a correction (if warranted) within 96 hours of the original notification.

Disclosure to vendors

For any technical vulnerability we discover, we follow a 90-day coordinated disclosure timeline modelled on Google Project Zero's but with two differences. First, we will extend the deadline by up to 30 days on written request from the vendor's PSIRT, no questions asked, provided we have a credible patch ETA. Second, we will not extend beyond 120 days under any circumstances, including by legal threat.

If a vendor declines to acknowledge a disclosure for 30 days after we have verified the contact channel, we will publish on the original 90-day cadence and explicitly note the non-response. We have done this once and will do it again.

What we will not do

To save time for everyone:

  • We will not run sponsored content of any kind. The newsletter is the only commercial product. The underwriter does not have prior review of any article and has, on three documented occasions, learned about a piece in the same batch as paid subscribers.
  • We will not use AI to write articles. We use it for transcription, for translating non-English source material, and occasionally for rephrasing a draft headline. Every paragraph that appears on this site was written, edited, and fact-checked by a human.
  • We will not "embargo trade" with vendors — i.e. accept early access to an advisory in exchange for sympathetic coverage. We will accept embargoes against agreed publication dates, full stop.
  • We will not run a story we cannot defend in court. Practically, this means our libel insurer (Hiscox Media) has a standing right of review on anything that names a specific person or company in a critical context. They almost never comment; when they do, we listen.

How to reach us

Tips: [email protected]. We read everything. We confirm receipt within 72 hours.

For secure communication, request our Signal address by email, or use the PGP key fingerprint 4A7C 9D33 1F88 0C2B E5A6 9C71 3A04 8821 B7FE 9D04 (full key on the About page).

For corrections: [email protected]. For editorial questions: [email protected]. For commercial questions (which we do not have): we don't.

What is next

The publishing calendar is currently:

  • Tuesdays — the Threat Briefing newsletter goes out at 09:00 UTC. Free tier gets the top three items; paying subscribers get the full digest.
  • Thursdays — a long-form piece (investigation, field report, or briefing) drops at 13:00 UTC.
  • Standing dashboards update continuously; you can subscribe to the CVE feed we use upstream.

If you came here from Hacker News, welcome. If you came here from a vendor advisory's references section, welcome and please email us about whatever it is.

Raj Kumar Editor, CipherGuard London, November 2023

Powered by VitePress - 1.6.3