Open /m/propose. Paste the CVE-ID. Write a summary, the body (markdown), affected versions, code blocks (fix / workaround / verify / rollback), references. Save draft anytime.

Two independent AIs (Claude + GPT-4o) score your proposal 0-100 on technical correctness, safety, completeness. Median wins. Score drives the next step.

<50: returned to author with suggestions. 50-69: 2 staff reviewers required. 70-89: 1 staff + 1 Trusted member. ≥90: fast-track, 1 staff reviewer.

Reviewers see your draft + the AI scores + history. They can approve, return-for-edit, or reject (with reason). Decision is Ed25519-signed and added to the audit chain.

On approval, your mitigation is signed and posted to VIR's /admin/mitigations with source_tier='community-verified'. It appears on the canonical CVE detail page within seconds, attributed to you.

Anyone in the community can flag your published mitigation during the first 7 days. After that, it's permanent. If flagged + reviewers agree, it's retracted (cascades to VIR via webhook).

/m/disclose. Vendor, product, version, type of vuln, impact, suggested mitigation. PGP-sign if you want.

We figure out whether the right CNA is the vendor (Apple PSIRT, MSRC, Cisco), upstream (kernel.org), GitHub Security, or MITRE. Routed automatically.

You get email updates at each step. Embargo respected. Vendor patches. CVE-ID assigned.

When embargo lifts, the CVE lands in VIR with your name on it. Permanent public record.