Pluck Studio / Bureau

AVAP

AI Vulnerability Auction Protocol. Vendors stake to delay disclosure. Civil society stakes to release it. A neutral threshold quorum decides when the seal breaks. Pluck records the math, never holds custody.

The HackerOne-killer

HackerOne and Bugcrowd are 1:1 channels: a researcher reports, the vendor decides whether to pay, and the public sees only what the vendor allows. AVAP is N:N. The market — not the vendor — sets the disclosure clock. A vendor that wants to extend the window must pay for it on a public ledger that anyone can see.

What AVAP composes

AVAP doesn't invent new primitives. It composes the cryptographic verbs already shipping across the Bureau:

  • NUCLEI — the signed probe-pack that proves a vulnerability exists
  • DRAGNET — runs the probe-pack against the target until red dot
  • FINGERPRINT — proves which model the dot fired against
  • MOLE (optional) — adversarial training-data extraction proof
  • BOUNTY — after unseal, dispatches to HackerOne / Bugcrowd
  • OATH — vendor's signed Disclosure/v1 is the contradiction target; silent fix triggers a red dot

What lands on Rekor

  • AVAP/v1 — the auction-open envelope. References the NUCLEI probe-pack, FINGERPRINT scan, and optional MOLE PoC by Rekor uuid. Threshold-party slate + closesAt + disclosureDeadline time-locks.
  • AVAP.Bid/v1 — single signed bid against an open auction. direction: "delay" (vendors stake to extend) or direction: "immediate" (civil society stakes to release). Amounts are informational only; payouts settle off-platform.
  • AVAP.Unseal/v1 — the threshold-share unseal envelope. k-of-n parties contribute Ed25519 signatures over the canonical {auctionId, outcome, unsealedAt} triple; verifier requires k distinct fingerprints from the auction's party slate. t-1 shares cannot unblind.
  • AVAP.Distribution/v1 — the payout ledger. Default split: researcher 70%, treasury 20%, civil society 10%. vendor-buyout outcome flips to 80/15/5. Sum-of-shares ≤ 1; off-platform payment receipts attached as opaque strings.

Threshold semantics

AVAP's threshold is simpler than VSS. Every party publishes a public share at auction-open; unseal requires k parties to each publish a signed share over the canonical auction body. The shares are not used to derive a secret — they are used as a verifiable quorum vote that controls the time-lock. A t-1 collusion cannot unblind because the quorum check fails-closed.

This is documented as quorum-vote-controlled time-lock rather than full Verifiable Secret Sharing. The cryptographic guarantee:

Without k distinct fingerprints in the unseal envelope, the verifier rejects the unseal. The auction body remains sealed from the verifier's perspective.

Trust posture — Pluck records, never holds custody

AVAP is a ledger, not a court. The auction protocol records:

  1. that the parties agreed the auction was open at time T
  2. that a quorum of k parties unsealed it at time T'
  3. that the parties published a payout distribution at time T''

Adjudication, dispute resolution, and actual money movement are always off-platform. Auction parties retain full agency over their fingerprints, their bids, and their payouts.

CLI

# 1. open
pluck bureau avap open \
  --target openai/gpt-4o \
  --nuclei-pack <rekor-uuid> --fingerprint <rekor-uuid> --mole <rekor-uuid> \
  --parties parties.json \
  --threshold 2-of-3 \
  --closes-at 2026-05-01T00:00:00Z \
  --disclosure-deadline 2026-05-15T00:00:00Z \
  --keys ./keys --accept-public

# 2. bid
pluck bureau avap bid <auction-id> \
  --direction delay --amount 50000 --currency USD \
  --keys ./keys --accept-public

# 3. status
pluck bureau avap status <auction-rekor-uuid> --auction auction.json --bids bids.json

# 4. unseal (after closesAt)
pluck bureau avap unseal <auction-id> --shares shares.json \
  --outcome fix-shipped --threshold 2-of-3 \
  --keys ./keys --accept-public

# 5. distribute
pluck bureau avap distribute <auction-id> \
  --escrow escrow.json --recipients recipients.json \
  --keys ./keys --accept-public