Can I participate anonymously?

You are welcome to participate anonymously by creating an account without any personally identifiable information. Only your chosen display name will appear within the case discussion, which means that your first and last name will not appear anywhere. To assist with anonymity, we suggest creating a VINCE account with a disposable or temporary email address and use a pseudonym for your display name.

Will the vendor know who I am?

The vendor and any other participant in the case will only be able to see the display name you choose when you create the VINCE account. This name can be changed at any time from within the Profile page.

What happens to reports submitted anonymously (i.e., without being linked to a VINCE account)?

Because a VINCE account is required in order to access case files, you will be unable to participate in the coordination process for reports that are not associated with a VINCE account. It is possible to create a VINCE account after submitting your report, which will grant access your initial report (and the ensuing coordination activities) as long as the email address listed on the report is the same as the one used to create the VINCE account.

What should I do if a vendor is not responding?

If a vendor is unresponsive, the CERT/CC will attempt to elicit participation from the vendor, but the CERT/CC can coordinate disclosure and publish a vulnerability note without the vendor's involvement.

What do the various case statuses mean?

The report status will be "pending" when you initially submit your vulnerability report. The status will change to "open" once we accept the report for coordination and assign an associated VU# tracking number. "Closed" indicates that the CERT/CC has either not accepted the report for coordination, or coordination is complete. "Published" means that the CERT/CC has published a vulnerability note associated with the case to kb.cert.org.

How can I add information to my submitted vulnerability report?

You can edit your initial vulnerability report until we have accepted or declined the report for coordination. Once the status of your initial vulnerability report leaves the "pending" status, you will be unable to edit your report. If you need to provide the CERT/CC with more information, you can add a comment to the vulnerability report, post in the open case discussion, or send the CERT/CC a direct private message.

How do I ask the CERT/CC to reconsider a closed case?

You can add a comment to the closed VRF# report with any additional information that you think is relevant for reconsideration, including new vulnerability details or a change in vendor cooperation.

Will the CERT/CC give me a CVE ID?

The CERT/CC may assign CVE IDs to vulnerabilities that we actively coordinate, but typically only after vendor CVE Numbering Authorities (CNAs) have declined to do so. Please follow the process to Request CVE IDs which may lead you to Submit a CVE Request directly to the CVE Program Root CNA.

Can I add another reporter to a current case?

If another reporter should be added to the case, please send the CERT/CC a direct private message with the user's VINCE account information, including the email address.

Who else can see my report?

If the CERT/CC accepts the vulnerability report for coordination, any participant added to the case (including vendors) will be able to see your initial report.