Closed Beta · Researcher Access by Application

PoC Builder.

From finding to filed in minutes. Adversarially validated. Severity calibrated. Built by the same kill-loop methodology behind our own CVE work.

ProductMethodology service
ModelSubscription · Credits
OutputPlatform-ready PoC
DeliveryReal-time in-session
StatusClosed beta
AccessBy application

Finding the bug is the easy part. Turning it into a PoC that survives platform triage on the first read is the part that eats your evenings.

Triage is the bottleneck. A real vulnerability, written up by a tired hunter at 2 AM, gets read by an analyst at 9 the next morning and closed for missing reproduction steps, unclear severity, or insufficient evidence. The hunter loses the bounty, the program loses the bug, and the next attacker finds it later for free.

PoC Builder is the kill-loop between confirmed finding and submission-ready evidence. You bring the discovery. We run it through the same adversarial pipeline we use on our own CVE work. What comes back is a reproduction, an exploitation chain, a CVSS score with calibration notes, and a writeup shaped for the platform you are filing to.

You ship the bug. You keep the bounty. We bill for the methodology.

The Gauntlet.

Six phases. Adversarial throughout. No PoC ships until it has survived every pass. The readout below is a single submission moving through the pipeline in real time.

Running Submission a7f3b2e9 · Elapsed 00:42
01Reproduce
02Adversarial
03Evidence
04Exploit Chain
05Severity
06Delivery
PHASE 01 · REPRODUCE
Submission received. Hash a7f3b2e9c1d8…
Provisioning isolated reproduction environment…
Environment ready. Replaying submitted request chain.
Reproduced. Response delta: 1.4s. Confirmation: clean.
PHASE 02 · ADVERSARIAL VALIDATION
Pass 1/3 starting. Hypothesis: input validation bypass.
Falsified. Pivoting to authorization control.
Pass 2/3. Hypothesis: race condition on token check.
Confirmed. Window: ~340ms. Reliably exploitable.
Pass 3/3. Adversarial framing: can vendor reasonably deny?
Cannot. Three independent reproductions stable.
PHASE 03 · EVIDENCE GATE
Cross-checking against CWE classifications…
CWE-367 (TOCTOU race) confirmed.
Searching prior art and CVE precedents…
No conflicting prior disclosure. Novel finding.
PHASE 04 · EXPLOIT CHAIN
Constructing minimal reproducer (curl + Python).
Annotating each request with intent and expected response.
Generating attack tree. Mapping pivots.
Chain complete. Reviewer-grade documentation generated.
PHASE 05 · SEVERITY CALIBRATION
CVSS 3.1 vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Base score: 8.1. Class: HIGH.
Calibrating against target program scoring conventions…
Adjusted recommendation: 8.1 HIGH. Confidence 0.94.
PHASE 06 · DELIVERY
Assembling final package: writeup, PoC, CVSS, screenshots.
Templating for target platform conventions.
Delivered. Severity 8.1 HIGH. 5 credits charged.
Awaiting next submission…

Tiers and Credits.

Pay for what you ship. Credits scale with severity. Subscriptions roll over up to 2x. One-time top-ups available for non-subscribers.

Sandbox
Free
5 credits / month
  • Queue24 hour SLA
  • OutputTriage verdict only
  • Use caseSample the methodology
  • SeatsSingle researcher
Solo
$39/ month
30 credits / month
  • Queue1 hour SLA
  • OutputAll severities
  • Use caseActive solo hunter
  • SeatsSingle researcher
Pro
$129/ month
120 credits / month
  • Queue15 minute SLA
  • OutputAll severities + chains
  • Use caseFull-time hunter
  • SeatsSingle + 1 collaborator

Need team access? More than two researchers, custom credit allocations, or retainer-style support – write to drew@whitenbaker.com and we’ll scope it.

Output
Credits
01
Triage verdict
Real / not real with reasoning
1 credit
02
Low / Medium PoC
CVSS 3.9 – 6.9 · reproducer + writeup
3 credits
03
High PoC
CVSS 7.0 – 8.9 · reproducer + chain + writeup
6 credits
04
Critical PoC
CVSS 9.0+ · full chain + impact analysis
10 credits
05
Chained / multi-stage
2+ vulns combined · attack tree + remediation map
15 credits
Non-subscriber top-ups · 20 credits $49 · 50 credits $99 · 200 credits $349

We file CVEs directly with MITRE. We do not depend on platform triage queues, and we do not wait for vendor permission to publish severity assessments that the public is entitled to know.

Engagement with Whiten Baker is direct, time-boxed, and adult. Programs that prefer to administer disclosures at their own pace are welcome to do so without us.

By the Numbers.

Whiten Baker production, year to date. All CVE assignments MITRE-verifiable via public lookup. Numbers replace adjectives.

40+
CVEs filed YTD
Direct MITRE assignment. CNA brokerage bypassed.
9.5
Peak CVSS severity
Highest single-finding severity in current portfolio.
100%
MITRE-direct assignment
Every CVE in the portfolio filed direct, none platform-brokered.
4
Active research classes
Consensus, identity, payments, secrets management.
· Verifiable via MITRE CVE lookup · Last updated this quarter

Why a Whiten Baker PoC clears triage.

Four principles that govern every submission through the pipeline. Borrowed from our own CVE work and applied without exception.

01 · Principle

Kill-loop before ship.

Every finding survives three adversarial passes before it is packaged. We try to falsify our own work harder than any reviewer will.

02 · Principle

Evidence is gated.

Reproductions must be clean and independent. Three consecutive stable runs in an isolated environment, or it does not leave the lab.

03 · Principle

Severity is calibrated.

CVSS vectors are scored conservatively and cross-checked against target program scoring conventions. We do not inflate.

04 · Principle

Disclosure is direct.

If you want a CVE, we route to MITRE directly. We do not depend on platform queues to administer your finding’s identity.

Closed Beta

Apply for access.

Cohorts of fifteen researchers admitted per month. Applications reviewed by the founder. Decisions returned within seventy-two hours.

Bring a recent finding if you want a Sandbox triage on first contact. Founders evaluating Whiten Baker for vendor engagement may apply through the same form and will receive a separate response.

drew@whitenbaker.com · Toronto
By submitting, you agree to be contacted at the address above. No finding is treated as a formal submission until access is granted and the in-app intake is completed. Whiten Baker bills for methodology services. We do not resell API access.