Editorial Standards

How we test, source, and disclose in a YMYL category. Last updated April 2026.

Independence

Advertisers and affiliate partners do not see coverage before publication, cannot request changes, and cannot pay for better rankings. Our ranking of a VPN, password manager, or antivirus reflects our testing — not its commission rate. Several of our top picks pay us nothing. When a service we cover has an affiliate program we participate in, we say so explicitly in the article.

VPN testing methodology

1. Subscribe at the standard consumer tier. Never using courtesy/comped accounts from vendors.
2. Speed tests: Ookla speedtest-cli, minimum 3 runs per server, median reported. 5 nearby servers + 5 international servers.
3. Leak tests: DNS leak (dnsleak.com), IPv6 leak, and WebRTC leak tests. We document failures publicly.
4. Privacy policy: read in full, with specific flags for logging, data retention, third-party sharing, and jurisdictional exposure.
5. No-logs claims: we trust only audited claims. We list the auditor, audit date, and scope.
6. Jurisdiction: we flag where the company is incorporated and what surveillance alliances (5/9/14 Eyes, MLATs) that exposes it to.

Password manager testing

Hands-on testing on desktop and mobile, autofill reliability across 20+ common sites, recovery-account testing, cross-referenced breach history and third-party security audits (Cure53, ISE, SOC 2).

Antivirus testing

We cross-reference third-party detection-rate data from AV-Test and AV-Comparatives rather than conducting our own virus-scanning benchmarks (which require a malware research environment most ethical publishers won't maintain). We test usability, performance impact, and false-positive rates directly.

Sourcing

Pricing, feature, and policy claims are sourced from the vendor's official pages as of the article's last-updated date. Audit results are sourced from the published audit report. Breach history is sourced from HaveIBeenPwned, CVE databases, and public reporting. We do not reproduce vendor marketing copy as editorial.

Affiliate disclosure

Every article with affiliate links carries this disclosure at the top: "We earn a commission when you sign up through our links. This doesn't change your price and doesn't affect our rankings." Full policy: Affiliate Disclaimer.

Updates & freshness

Security products change policy and pricing frequently. We revisit our reviews quarterly at minimum, and immediately upon: a company changing jurisdiction, a new independent audit being published, a credible breach disclosure, or a material privacy-policy change.

YMYL responsibility

Security advice can affect financial safety and legal exposure. We try to be honest about the limits of generic advice — if your threat model involves nation-state adversaries, domestic abuse, or legal exposure in hostile jurisdictions, generic consumer VPN and password-manager picks are inadequate. We will say so and point to specialist resources (EFF's Surveillance Self-Defense, NNEDV's Tech Safety, Freedom of the Press Foundation).

Corrections

When we get something wrong, we fix it in-place, add a corrections note, and — if the error was safety-relevant — post an update at the top of the article. Email corrections@smartsecurehaven.com.

AI use

We use AI (primarily Claude) for research, drafting, and formatting. Every article is reviewed by a human editor who is responsible for accuracy, safety-relevance, and final sign-off. We do not publish unedited AI output, fabricated audit results, invented breach data, or hallucinated vendor claims.

What we won't do

• Take payment for favorable coverage.
• Accept free subscriptions in exchange for positive reviews.
• Rank services by commission size rather than test results.
• Publish "best VPN" lists that are thinly-disguised commission stacks.
• Hide affiliate relationships.
• Give security advice that exceeds our testing — if we haven't tested it, we don't recommend it.