Security data moves through a 7-stage pipeline. Sensitive specifics are redacted before anything leaves your tools. VCRI receives only the output of that pipeline — never the input.
CRIBL API pull requires explicit read-only authorization from your team. Nothing is accessed without your approval. You choose which tools are included and can revoke access at any time.
The CRIBL sensitivity redaction function executes as the first processing step. Specific CVEs, IP addresses, and other sensitive identifiers are masked or dropped before they move anywhere. This is a technical control, not a policy promise.
The VCRI clearinghouse holds your CAM score profile — the aggregated, anonymized representation of your security posture. We do not maintain a database of your raw telemetry, vulnerability inventory, or tool configurations.
Your VCRI profile is visible to organizations that have you as a vendor — customers who have a legitimate need to assess your security posture. It is not visible to your competitors, the general public, or any government agency without legal process.
Allowing API pull maximizes your trust coefficients (α and β), giving you the strongest possible VCRI score. Vendors who prefer to package and submit their own data may do so — at a lower trust coefficient. Participation level is your choice.
The VCRI Vendor Assistant is a locally-installed AI tool powered by Anthropic's Claude. It runs on your infrastructure. When you ask the assistant a question, that query is sent to Anthropic's API for processing — the same way any Claude-powered tool works.
VCRI never sees your assistant queries. Your questions about your own security environment, your tool inventory, your gaps — all of that stays between you and the Anthropic API.
When you're ready to submit a profile to the VCRI clearinghouse, the assistant helps you generate a structured, anonymized submission package. You review it before it's sent. You control what goes.
| Data Type | Anthropic API | VCRI Clearinghouse | Your Machine |
|---|---|---|---|
| Your assistant queries | Processed | Never | Stays here |
| Raw tool telemetry | Not sent | Never | Stays here |
| Specific CVEs / IPs | Not sent | Never | Stays here |
| CAM posture profile | Not sent | On submission | Stays here |
| Your VCRI score | Not sent | Visible to customers | Your copy |
Vendors with enterprise requirements may use Anthropic's enterprise API with a Data Processing Agreement. Contact info@valuechainrisk.org for enterprise configuration guidance.
Automated API pull maximizes your trust coefficients. A strong VCRI score replaces dozens of customer questionnaires — permanently. Your security team answers them once, automatically, for everyone.
VCRI is governed by a board of recognized neutral authorities. No board member sells competing security products. The entire mission is accurate, neutral assessment.