Independent Vulnerability Clearing House
Governments have created obligations around vulnerability disclosure — PSTI, CRA, NIS2, DORA — but no independent infrastructure exists to verify whether they’re being met. The Clearing Room is that infrastructure. Every finding verified, every outcome recorded permanently, every participant sees the same data.
A researcher submits a vulnerability. We verify it independently, score it, and manage the disclosure process. From this single event, value radiates outward to every participant in the ecosystem.
01
Submit
Day 0
02
Verify
Day 1–5
03
Notify
Day 5
04
Remediate
Day 5–91
05
Publish
Day 91
06
Compound
Day 91+
Why this is not a bug bounty platform
Existing disclosure models treat each vulnerability as a one-time transaction. The Clearing Room treats it as a data point in a permanent, compounding dataset. The finding matters to three audiences. The pattern over time matters to five more.
Layer 1 — The finding
The researcher who found it. The vendor who needs to patch it. The defender who needs to write a detection signature. For these three, the individual finding is the unit of value.
Layer 2 — The dataset
Frequency. Severity distribution. Response velocity. Pledge honour rates. Sector trends. For insurers, procurement, regulators, downstream users, and boards, the value is not the bug — it is the behavioural data that accumulates around it.
The clearing house insight
Every finding is an event. The dataset is the asset. The more findings that flow through the clearing house, the richer the signal becomes for every participant — including those who never see the original bug.
Value radiates to eight audiences
A single verified finding generates 12 distinct outputs consumed by 8 different audience types. Every additional finding increases value for every participant simultaneously.
01
Researcher
Bounty payment, intelligence credits, permanent attribution, legal defence fund, 5% commission
02
Defender
Pre-disclosure detection signatures, SBOM component alerts, sector threat feed
03
Vendor
90-day private remediation window, clean engagement record, hash-verified engagement receipt
04
Insurer
Vendor posture data, sector benchmarks, engagement receipt, unpatched exposure feed
05
Procurement
Vendor engagement profile, dependency exposure mapping, attestation card for due diligence
06
Regulator
Obligation indicators, compliance mapping, industry benchmarks by sector
07
Downstream
Trust Inheritance cascade notification, ecosystem-funded bounty, remediator credit
08
Board & C-Suite
Engagement tier summary, unpatched exposure count, regulatory readiness dashboard
Cross-audience value matrix
Each row is a distinct output generated by a single verified vulnerability. Each dot shows which audience type consumes that output. The density of the matrix is the compound network effect.
| Output | Researcher | Defender | Vendor | Insurer | Procurement | Regulator | Downstream | Board |
|---|---|---|---|---|---|---|---|---|
| Published advisory | ||||||||
| BRS score | ||||||||
| Engagement tier | ||||||||
| Engagement receipt | ||||||||
| Pre-disclosure access | ||||||||
| SBOM component alert | ||||||||
| TI cascade notification | ||||||||
| Bounty payment | ||||||||
| Intelligence credits | ||||||||
| Regulatory obligation flag | ||||||||
| Sector benchmark | ||||||||
| Won't-Fix listing |
Position
Existing vulnerability disclosure models are two-sided marketplaces where the vendor is the customer and the researcher is labour. The Clearing Room is clearing house infrastructure where nobody is the customer. Everyone is a participant in a process. The process runs regardless of whether anyone cooperates.
Editorial and commercial data are separated by access control. Timelines are system-enforced. No human can delay a publication for a paying subscriber. The exception log is public.
Every finding publishes at day 91. Patched or not. Pledged or not. The outcome is recorded permanently. There is no mechanism for suppression, delay, or retraction.
The researcher owns their finding. Not the platform. Not the vendor. Full attribution, portable record, no NDA. Work is never used to train AI models. Structural commitment.
Vendors pledge bounties publicly via DNS TXT record or on-platform commitment. No upfront cash. No financial escrow. Reputational accountability through permanent public record of whether pledges are honoured.
SHA-256 hash-verified, machine-readable attestation of how a vendor responds to disclosure. JSON-LD, PDF, verification URL. Designed for insurers, procurement, and audit committees.
Seven-dimension impact score. CVSS scores the vulnerability. BRS scores the consequence. Published methodology. Anyone can verify. BRS-1 to BRS-5.
Regulatory tailwind
Every regulation below mandates some form of vulnerability disclosure, supply chain accountability, or documented incident response. None of them create the infrastructure to verify compliance. The Clearing Room is the first independent infrastructure designed to fill that gap.
UK. Connected products must have a public vulnerability disclosure process.
EU. Products with digital elements must have coordinated vulnerability disclosure.
EU. Essential entities must manage supply chain cybersecurity risk.
EU. Financial services must assess ICT third-party risk with verified data.
UK. Operational resilience requires evidence of vulnerability management.
Regulation is creating the demand. The infrastructure doesn't exist yet. We're building it. If you fund what's next in security infrastructure — this is early, this is real, and this is the conversation.
investors@theclearingroom.io