About the Bad Character Scanner Blog & Editorial Standards
Our Mission
The Bad Character Scanner Blog provides security research analysis and commentary focused on invisible character threats, Unicode vulnerabilities, and software supply chain security.
We strive to follow Canadian Press journalistic principles adapted for a volunteer-run, independent blog based on internet research and informed opinion.
What We Cover
Primary Topics
Invisible Character Vulnerabilities
Zero-width Unicode, bidirectional overrides (CVE-2021-42574), malformed UTF-8 sequences
AI Code Security
LLM prompt injection, GitHub Copilot/Cursor AI vulnerabilities, AI-generated code risks
Software Supply Chain Security
Dependency scanning, build pipeline protection, source code integrity
Security Research Analysis
Commentary on industry findings, CVE analysis, comparative security approaches
Our Approach
Internet-Based Research & Commentary
What we do:
- Research security topics using publicly available internet sources
- Provide commentary and analysis on security research from others
- Share informed opinions based on available information
- Reference authoritative sources when available (CVE databases, Unicode Consortium, academic papers)
What we don't claim:
- Extensive independent verification or laboratory testing
- Definitive fact-checking beyond internet research
- Immediate or guaranteed responses to inquiries
- Professional-level peer review process
Balanced Perspective
We believe in presenting multiple perspectives on security challenges:
- Acknowledge Limitations: We discuss the boundaries of our own tools and approaches
- Credit Peers: When other researchers (like PromptFoo) make valuable contributions, we recognize their work
- Complementary vs. Competitive: We identify where different security tools work together rather than compete
- Industry Context: We situate findings within broader cybersecurity trends
Volunteer-Run & Independent
Important Context:
This is a volunteer-run blog with limited time and resources. We:
- Cannot guarantee rapid responses to inquiries
- May be delayed by other commitments and online content
- Rely on internet research rather than extensive investigation
- Provide commentary and opinion rather than authoritative guidance
- Appreciate patience and understanding from readers
Our editorial decisions are based on:
- Public interest and security research value
- Available time and volunteer capacity
- Educational benefit to the developer community
Not based on:
- Commercial promotion
- Dismissing competitive approaches
- Sensationalizing vulnerabilities for attention
Editorial Standards
1. Research and Sourcing
We strive to:
- Reference publicly available sources including CVE databases, academic research, and security advisories
- Provide links to source materials when available
- Clearly distinguish between information from authoritative sources and our editorial analysis
- Correct errors when brought to our attention (as time permits)
- Be transparent about the limitations of volunteer-run research
Our content is based on:
- Publicly available internet research and documentation
- Analysis of security research published by others
- Commentary and opinion based on available information
- Testing within our available resources
Important Note: As a volunteer-run blog, we rely primarily on internet research and publicly available sources. We do not have resources for extensive independent verification or laboratory testing. Our content represents informed opinion and analysis rather than definitive fact-checking.
2. Attribution and Transparency
Following Canadian Press principles, we:
- Attribute information to original researchers and organizations when possible
- Provide links to source materials when available
- Credit discoveries appropriately (e.g., PromptFoo's research on zero-width steganography)
- Distinguish between original analysis and commentary on others' work
3. Opinion vs. Commentary
Editorial Content is Clearly Labeled:
- Opinion pieces are marked as "Editorial Analysis" or "Commentary"
- Author bylines identify contributors (e.g., "by J. Shoy")
- Editorial opinions are distinguished from reporting on published research
- Disclaimers appear at the beginning and end of opinion pieces
When Referencing External Research:
- CVE details and vulnerability disclosures are referenced from official sources with attribution
- We present information as reported by original sources
- Multiple perspectives are considered when analyzing security approaches
- We prioritize informational value over promotional content
4. Conflicts of Interest
We disclose potential conflicts of interest:
- Editorial Independence: Authors' opinions do not represent official company positions
- Commercial Transparency: When discussing Bad Character Scanner products, we clearly identify complementary (not competing) solutions
- Research Integrity: We acknowledge limitations in our own tools and methodologies
Content Types
1. Research Analysis Articles
Example: "PromptFoo Gets It: Invisible Unicode Characters Are Backdooring AI Code"
- Analysis and commentary on security research from industry and academia
- Original research findings from Bad Character Scanner testing and analysis
- Full attribution to original researchers and CVE sources
- Commentary on security implications
Standard: Clear distinction between analyzing others' research and presenting original findings, with clearly labeled editorial analysis
2. Technical Guides
Example: Implementation guides, security best practices, scanning tutorials
- Step-by-step instructions based on available documentation
- Procedures referenced from official sources
- Educational purpose with disclaimer to test in safe environments
- Tool-agnostic where possible
Standard: Educational purpose, disclaimers about testing in appropriate environments
3. Opinion & Commentary
Example: Editorial pieces by J. Shoy and other contributors
- Clearly labeled as opinion/editorial
- Author attributed by name
- Supporting evidence cited when available
- Follows Canadian Press opinion principles
Standard: Transparent attribution, distinguished from factual reporting
4. Industry Trends & Statistics
Example: AI code adoption rates, vulnerability disclosure trends
- Data from authoritative sources (Statistics Canada, GitHub, NIST)
- Clear citation of source material
- Context provided for interpretation
Standard: Data-driven, sourced, attributed
Editorial Process (Volunteer Capacity)
Research Process
- Source Review: Claims referenced from publicly available research, CVE databases, or official documentation
- Internet Research: Information gathered from authoritative online sources when time permits
- Analysis: Technical content analyzed and interpreted to the best of our volunteer capacity
- Source Attribution: Statistics and claims attributed to their published sources
Writing and Attribution
- Source Attribution: Claims attributed to their published sources when possible
- Author Attribution: Opinion pieces clearly attributed to individual authors
- Editorial Labels: Opinion, analysis, and commentary clearly distinguished
- Disclaimers: Standard disclaimers appear on all content emphasizing educational purpose and the need for independent verification
Corrections and Updates
When errors are identified, we:
- Make reasonable efforts to correct inaccuracies when brought to our attention
- Add "Updated: [DATE]" to article metadata when corrections are made
- Note significant corrections transparently when feasible
- Update outdated information when volunteer time permits
Updates may be made for:
- Errors in attribution or source citations
- Broken links to source materials
- New publicly available information
- Reader-reported inaccuracies
Important Note: As a volunteer-run blog with limited resources, we:
- Cannot guarantee immediate responses to correction requests
- Will review submissions as time and capacity allow
- May be delayed by other commitments and priorities
- Appreciate patience and detailed correction submissions
- Cannot provide comprehensive fact-checking beyond initial research
Canadian Journalistic Principles (Adapted)
Following Canadian Association of Journalists (CAJ) Ethics Guidelines:
Seek Truth and Report It: We research security topics using available internet resources and reference authoritative sources
Minimize Harm: We avoid disclosing exploit details that could enable attacks while educating about threats
Act Independently: Editorial decisions are made based on public interest, not commercial considerations
Be Accountable and Transparent: We provide contact information and respond to legitimate concerns as volunteer time permits
Our Contributors
Editorial Team
The Bad Character Scanner Editorial Team oversees content quality and adherence to adapted journalistic standards within volunteer capacity.
Security Contributors
J. Shoy - Security Contributor & Editorial Analyst
- Specializes in Unicode security, invisible character threats, and software supply chain vulnerabilities
- Opinion pieces and editorial analysis
- Contact: Through Contact Page
(Additional contributors will be listed as they join)
Contact & Feedback (Volunteer Response Times)
Get in Touch
We welcome feedback, questions, and concerns about our content:
Contact Methods:
- General Inquiries: Contact Page
- Technical Questions: Use contact form with "Technical Question" in subject
- Correction Requests: Use contact form with "Correction Request" in subject
- Guest Contributions: Use contact form with "Guest Contribution" in subject
Response Expectations:
- We will make reasonable efforts to respond when volunteer time permits
- Response times may vary significantly based on volunteer availability
- We may be delayed by other commitments and online content
- Urgent security concerns will be prioritized when possible
- Patience and understanding are greatly appreciated
What We Respond To (As Time Permits)
Errors in attribution or source citations
Questions about our methodology or sources
Suggestions for coverage topics
Guest contribution inquiries
Technical clarifications
Compliance with Canadian Standards
This blog strives to adhere to principles from:
- Canadian Press (CP) Stylebook for editorial standards (adapted for volunteer capacity)
- Canadian Association of Journalists (CAJ) ethics guidelines
- Personal Information Protection and Electronic Documents Act (PIPEDA) for privacy
Our Promise (Realistic Expectations)
What You Can Expect
We believe security commentary and analysis deserves transparency and integrity. When you read the Bad Character Scanner Blog, you can expect that:
- Information is sourced from publicly available authoritative sources when possible
- Opinions are clearly labeled and attributed to authors
- We acknowledge limitations of our volunteer-run research capabilities and resources
- Sources are cited with links when available
- Content is educational and readers are encouraged to conduct their own verification
- We respond to corrections when errors are brought to our attention and time permits
- We're transparent about being volunteer-run with variable response times
Please Note: This is a volunteer-run, independent blog based on internet research and opinion. We do not have extensive fact-checking resources, laboratory facilities, or guaranteed response times. Content should be considered informed commentary rather than definitive security guidance. Always conduct your own research and consult security professionals for critical decisions.
Updates to This Page
This page will be updated as our blog evolves and volunteer capacity allows. Check the "updated" date in the metadata for the most recent revision.
Last Updated: October 22, 2025
Editorial Standards Notice
This volunteer-run blog follows journalistic principles adapted for independent security research and commentary. Our content is based on publicly available sources and represents informed analysis rather than definitive fact-checking.
Corrections: If you believe any information is inaccurate or requires correction, please submit your concern through our contact page with "Correction Request" in the subject line. Our volunteer editorial staff will review your submission as time permits and re-evaluate the facts as appropriate. We are committed to transparency and will update content when legitimate errors are identified and volunteer capacity allows.
Contact Us | Privacy Policy