Reference · Editorial

Editorial policy, fact-checking and corrections.

WeeSec transparency page. All content published under WeeSec or Aroua Biri's name follows the principles below: independence, verifiable sources, dated corrections, public funding disclosure, and a contact point for any question.

Publishing principles

Content published on weesec.com — blog articles, pillar pages, glossary, guides, FAQ — is written and reviewed by Aroua Biri, founder of WeeSec, cybersecurity PhD (Télécom SudParis, 2009), MIT Applied AI certified, ISO 27001 Lead Auditor (2012). No content is outsourced to ghostwriters or produced entirely by automated generation without human review and factual validation.

Editorial goal: make product security and AI security legible for technical decision-makers (CTOs, CISOs, head of product) facing concrete decisions — not an academic review, not generic recycled content. Each article answers a dated operational question.

Fact-checking policy

Every article passes three verifications before going live:

  1. Primary sources required on regulatory texts: EUR-Lex (CRA, EU AI Act, NIS2, DORA, GDPR), official ISO website, NIST (CSF, AI RMF), AICPA (SOC 2), PCI Security Standards Council (PCI DSS), OWASP. No regulatory article is published without linking to official URLs.
  2. Dates and numbers verified: milestones (2 August 2026 for the AI Act, 11 September 2026 and 11 December 2027 for the CRA, 17 January 2025 for DORA, etc.) are systematically cross-checked against the Official Journal of the European Union before publication.
  3. Tools and technical tactics verified in real environments: recommendations on Semgrep, BloodHound, Sigstore, Garak, PyRIT, Promptfoo and other tools are only published if tested on (anonymized) client engagements or in WeeSec lab environments.

Corrections policy

If published content is inaccurate, outdated or ambiguous, the correction follows this procedure:

  • Report: email contact@weesec.com with the URL, the sentence or number concerned, and the reference source.
  • Review SLA: within 5 working days.
  • Correction: if the error is confirmed, content is updated with refreshed dateModified. For substantive corrections (changed number, date, conclusion), a Correction on YYYY-MM-DD note is added at article footer.
  • Outdated vs erroneous: time-stamped content that becomes obsolete (regulatory change, new norm version) is tagged Updated on YYYY-MM-DD without removing the historical analysis.

Independence, ownership and funding

WeeSec is the trade name of FRCYBER (SIREN 839092699, intra-community VAT FR5283909269900017). Fiscal and registered address: 128 rue La Boétie, 75008 Paris, France. Independent company, 100% owned by its founder Aroua Biri. No investment fund, no industrial group, no software vendor is a shareholder or holds voting rights.

Funding: WeeSec is funded exclusively from consulting engagement revenue. No advertising income, no sponsorship, no vendor commissions, no commercial partnerships with recommended tools. No sponsored content campaigns are accepted — including for seemingly neutral evaluations.

Vendor-neutral stance: recommendations of third parties (Vanta, Drata, Sprinto, Semgrep, Snyk, SonarQube, Vault, ArgoCD, Sigstore, Garak, PyRIT, Promptfoo, OpenAI, Anthropic, Mistral, etc.) are independent and based on operational experience. No commission is received from these vendors.

Sourcing and citations policy

Content cites primary sources when the subject requires:

  • Regulatory articles: official EUR-Lex texts, ISO, NIST, AICPA, PCI SSC, ENISA, ANSSI, CNIL, OWASP websites.
  • Technical tool articles: official project documentation, GitHub repositories, release notes, CVE advisories (NVD, MITRE).
  • Market analysis articles: publicly cited sources (vendor announcements, conferences, academic papers). No non-public information obtained under client NDA is used in public content.
  • Numerical data: source explicitly cited (ENISA reports, IBM Cost of a Data Breach, Verizon DBIR, Hiscox, etc.) with vintage.

Unnamed sources: no anonymous citations are used. Client feedback is systematically anonymized (team size, sector, geography, context); no client name is cited publicly. That is baseline posture in this profession — see NDA section.

Diversity and inclusion policy

WeeSec is founded and operated by a woman. Member of CEFCYS — French Cybersecurity Women's Circle and OWASP Paris Chapter. Explicit commitment to editorial visibility of women contributors and experts in the field (citations, references, recommendations) when subject permits, without tokenization.

No discrimination in mission selection on origin, gender, sexual orientation, religion, age or disability. The only filter is on ethical nature of the subject (see ethics policy below).

Ethics policy

WeeSec does not accept engagements involving:

  • Offensive surveillance against individuals, journalists, dissidents or activists.
  • Help building tools or AI models whose documented main goal is to deceive, manipulate at scale, or circumvent fundamental rights (GDPR, AI Act prohibited practices).
  • Product security evaluations that serve as cover for greenwashing or compliance theater (symbolic intervention without real fixes).
  • Clients whose main activity is in direct violation of international sanctions applicable to France and the European Union.

These refusals are publicly acknowledged and documented here. They are not negotiable.

Client confidentiality (NDA)

All engagements are conducted under NDA, systematically signed before any detailed technical exchange. No client logo is publicly displayed. Feedback cited in editorial content is anonymized to a level that makes client identification impossible (size in brackets, generic sector, context without specific detail).

Unnamed sources policy

WeeSec does not use anonymous sources in editorial content. Analyses rely exclusively on: (1) official texts and public documentation; (2) operational experience of the founder, anonymized on client details; (3) publicly accessible reports.

Use of generative AI in content

Generative AI (Claude, ChatGPT, assistant copilots) is used as an editorial productivity tool (proofreading, phrasing suggestions, structure). No content is published without full human review and factual validation by Aroua Biri. Editorial signature and content responsibility remain human.

Conflicts of interest

Any public mention of a vendor, supplier or tool in an article comes with no financial counterpart. Media appearances (TF1, M6) are transparently disclosed: no editorial compensation was paid by WeeSec for those appearances. WeeSec communications on standards (ISO, NIST, OWASP) are independent of those standards' publishers.

Editorial contact

To report a factual error, request a right of reply, or ask a question on editorial choices:

  • Email: contact@weesec.com
  • Subject: prefix with [Editorial] for prioritization.
  • Review SLA: 5 working days.

Last reviewed: 2026-05-18. Policy subject to amendment. Archived versions available on request.