Software authors sign up, get a bug tracker-like interface, but focussed at identifying the severity and impact of issues that have been reported. Issues are closed when a patch is uploaded.
Software users sign up to be put on a notification list when software they use announces a vulnerability. Emails sent to users are formatted to provide best practice reporting - easily identifiable severity and impact.
Software authors get a public interface for receiving security issues. The user reporting the problem gets notified when the bug is triaged, announced, and so on.
The service assists in the process of getting CVEs for projects.
Two revenue sources:
-
The service can charge a monthly fee for providing the service.
-
A project can set a fee for being on the pre-notification list. Higher fee for earlier access, or for getting the patch.
A project also gets tools to manage and distribute bug bounties, if they want to offer them.
The project code itself could be an open source project, with the paid service being for the SaaS version.