1. It grants a seal/hologram to its members that can be put on products to communicate to the customers that the company takes security validation seriously. Otherwise, they can tell during the marketing presentation that they are not a member and risk making an adverse impression about the security of their product upon their customers (this idea has a dependency on the network-effect which can be hard to get during initial days).

2. Member companies, research companies and individual researchers pay annual membership fees that go towards the operating costs of this authority. The amount is reasonably small for individual researchers or small companies so that it is not a burden.

3. This authority mainly acts as custodian of bug bounties i.e. all bug bounty programs of members are published on its website and it is designated the authorized validator of bounty claims.

4. There is a disclosure framework that this authority, member companies and researchers sign up to.

5. Member companies agree to allow this authority to do the necessary testing of the validation of bounties without threat of suing it.

6. When a researcher finds a vulnerability, it reports the specifics to the authority, instead of risking consequences of legal issues due to any actions by themselves.

7. Upon successful validation, a small percentage of the bounty (e.g. 5 to 10%) goes to the authority and the rest of it is released to the researcher. This acts as an incentive for the authority to vigorously validate the reports.