Guiding principle
Better to under-claim than to over-claim. If we can only cite a vendor blog post for a security property, we say "vendor claims" and explain what independent evidence would look like. A conservative statement that ages well beats a sharp statement that requires silent editing later.
The four-step process
- Primary source lookup. Every specific claim (parameter set, key size, timeline date, standardization step) is traced to a NIST publication, IETF draft/RFC, protocol repository commit, peer-reviewed paper, or the project's own signed release notes.
- Second reader review. A second contributor re-derives the claim from the cited source without reading the draft first. Discrepancies block publication.
- Uncertainty flag. Any claim that depends on a future event (Q-day timelines, roadmap ship dates, breakage estimates) is written with an explicit confidence marker and a link to methodology.
- Reader-facing sources block. Sources appear at the bottom of every research note in a labelled Sources section so readers can verify without hunting.
Source hierarchy
When two sources disagree, we default to the higher tier:
- Tier 1 — NIST FIPS/SP, IETF RFCs, peer-reviewed cryptographic papers.
- Tier 2 — IETF drafts, official protocol repositories, signed release notes, audit reports from named cryptographers or firms.
- Tier 3 — foundation blogs, developer forum posts, conference talks, credentialed cryptographers on personal channels.
- Tier 4 — general news reporting. Used only for context, never as sole evidence for a security claim.
Handling uncertainty
Cryptographically relevant quantum computers do not yet exist. Any statement about "when" is a forecast, not a fact. We use language like most public estimates place, the conservative planning horizon is, and no public evidence supportsinstead of dressing forecasts up as certainties.
AI-assisted drafting
Some drafts are outlined with the help of language models. See the full AI Usage Disclosure. Every AI-touched sentence is reviewed by a human contributor against primary sources before publication. Language models do not generate scoring, rankings, or recommended actions.
How we publish corrections
Material corrections are appended to the affected page in a dated changelog and, where they affect a scored project, reflected in the next rankings update. Silent edits are reserved for typos and formatting.
Report an error
Email support@quantumcryptorisk.com with the URL and the specific sentence you're disputing. Include a link to the primary source you think we missed and we will respond within five business days.