Whiten Baker Labs · Programs

Two programs. One pipeline.

Every silent patch the lab finds began as a vendor’s decision to stay quiet. These programs exist to change the math on that decision.

Program Status
Programs2 Active
ResearchersRecruiting
DisclosuresAccepting
PipelineMITRE + Regulatory
Coverage9 Ecosystems
OutputCourt-Ready

The industry has a 0.44% disclosure rate. That is not a gap. That is a policy.

Across nine open-source projects with significant production deployment, the lab found 4,121 security-relevant patches. Of those, 4,103 were never disclosed. Not misclassified. Not delayed. Buried.

The current system relies on vendors self-reporting their own security failures. Vendors do not self-report. The detection pipeline catches them. But detection alone does not fix the incentive structure. These two programs do.

4,103
Undisclosed Patches
Security fixes merged across 9 production codebases with no public advisory, no CVE, and no downstream notification.
0.44%
Industry Disclosure
The rate at which vendors voluntarily report their own security fixes. Less than one in two hundred.
150+
CVEs Filed
Formal disclosure through MITRE for the highest-severity findings the lab has confirmed.
47+
Downstream Networks
Forks, integrations, and dependent systems left exposed because the upstream vendor chose silence.
Two Sides · Same Pipeline

One finds the silence. The other breaks it.

For Vendors

Voluntary Disclosure

You fixed the vulnerability. You did not issue a CVE. You did not notify downstream. We probably already know. This program exists because getting ahead of the filing is better than being named in it.

  • Documented cooperation in the regulatory file
  • Opportunity to control the remediation narrative
  • Reduced enforcement exposure when regulators assess intent
  • Timestamped evidence of good faith
Disclose Now
For Researchers

Silent Patch Bounty

Find the commit. Prove the fix. Document the silence. Get paid. Every submission feeds the regulatory pipeline that holds vendors accountable.

  • Paid per verified finding
  • Researcher identity protected
  • CVE filed through MITRE on your behalf
  • Credit in the public advisory
Submit a Finding
1
Intake
Bounty submission or vendor disclosure
2
Validation
Lab confirms security relevance and impact
3
MITRE Filing
CVE assigned through formal disclosure
4
Mapping
Downstream exposure across forks and networks
5
Delivery
Court-ready package to regulators
Program Rules

Where we draw the line.

We Do

  • Pay for verified silent patch discoveries
  • Accept voluntary vendor disclosures at any stage
  • Protect researcher identity by default
  • Document cooperation in the regulatory file
  • File CVEs through MITRE for qualifying findings
  • Provide plain-language regulatory translation

We Do Not

  • Accept theoretical or speculative submissions
  • Disclose researcher identity without explicit consent
  • Negotiate on behalf of vendors with regulators
  • Accept findings on targets outside program scope
  • Guarantee specific enforcement outcomes
  • Delay filing to accommodate vendor timelines
Join the Program

The pipeline is open.

Whether you are a researcher who found the silence or a vendor who wants to break it, the intake is the same. Submit. The lab handles the rest.

Submit a Finding Voluntary Disclosure

Inquiries reviewed within 48 hours · Researcher identity protected by default