Why vendor self-reports fail

The trust gap

Every privacy policy is a promise. Every "we don't log" is a claim. None of them are verifiable by the people they're made to — until someone reads the binary.

Self-reports fail for three structural reasons:

1. The author owns the result. A vendor grading its own homework has every incentive to round up.
2. No adversary. Real findings come from someone trying to break the claim, not someone confirming it.
3. No skin in the game. When a self-report is wrong, nothing happens. When an OPCODE report is wrong, peer review rejects it and the payout never lands.

What replaces it

A pseudonymous reverse engineer, a bounty, and a quorum of peers who only get paid when their verdict survives scrutiny. That's the whole model. Read the binary. Not the marketing.