Table of Contents

...

VINCE

...

Accounts

Welcome to the CERT/CC VINCE environment. The VINCE environment coordination platform allows for you anyone to anonymously report vulnerabilities! . However, if you wish to participate in the coordination process, including discussions with vendors and researchers/reporters, then an account is required. We recommend that each individual on a team creates a VINCE account to participate on behalf of their organization. The account will provide the ability to view case information, post in the case discussion, provide vendor status and statement updates, and direct message CERT/CC. VINCE was designed and created to encourage the interaction between vendors and reporters.  A potential benefit is that multi-vendor coordination efforts may become more cooperative, with vendors sharing information on how to mitigate the vulnerability.

To report vulnerabilities anonymously, complete the "Vulnerability Reporting Form" at our web page (https://kb.cert.org/vuls/vulcoordrequest/) as shown below.

Image Removed

Getting an account

Everyone involved in the coordinated vulnerability disclosure process will want a VINCE account. The VINCE account will provide participants to watch and support to the coordination process. Obtaining a VINCE account is easy!  Visit our web page (https://kb.cert.org/vince) and get started.

, so creating an account and participating in the coordination efforts will increase cooperation, information sharing, and allow

Creating an Account

...

The overall process of obtaining a VINCE account is:

1. Navigate to the VINCE site. website
2. Click on "Create an Account"., or go directly to this link
3. Complete the VINCE signup form.Wait for an email response granting your access.
   

Image Removed

Completing the VINCE form

Please complete the form to create a VINCE account. The email address you provide will be your login username. The login username and password are case-sensitive.

1. 
   
   1. When filling out the form, please note that your Display Name will be
2. Enter a valid email address which you can access. (This field is case-sensitive.)
3. Create a New Password with these requirements: (This field is case-sensitive.)
   
   1. minimum length is 8 characters
   2. Requires at least 1 number
   3. Requires at least 1 special character ("+" and "=" don't count)
   4. Requires uppercase letters
   5. Requires lowercase letters
4. Enter the same password for confirmation.
5. Enter Preferred Display Name.
   Note: this name is
   1. visible to other VINCE users. It
   may only contain 1 space and may not contain special characters.
6. Enter First name.
7. Enter Last name.
8. Enter Company/Affiliation.
9. Enter Job Title.
10. Click the box "I agree to the terms of service" after reviewing the terms of service.
11. Click on "Sign up".

Image Removed

Verify your account

When signing up for a VINCE account the user needs to provide a valid email address to receive the confirmation code to verify your account.

Image Removed

Once you receive the VINCE verification code please:

...

Account approval

Once you have submitted the confirmation code, your VINCE account needs to be approved.

VINCE coordinator reviews your account for approval.

Upon approval,

...

1. 1. can be changed later in your account settings.
2. Once your account has been approved and you can login, you will be able to select your method of 2FA

...

Vendor Association

If you are a researcher or the first employee from your vendor organization to create a VINCE account then your account is placed into a pending state for CERT/CC review and approval. Once approved, you will receive an email letting you know that you have been approved. You will still need to be associated with your organization in VINCE by a CERT/CC analyst. Please send us a direct message requesting to be associated with your organization and we will independently verify with your organization that the request is valid. If you are the first user for the vendor, we will additionally make you the administrator so that you may manage the group.

If you are a part of an existing vendor and your group administrator invited you directly to VINCE, then you should already be associated properly with your vendor and see any cases that they are involved in on your Dashboard. If you do not see cases and expect to, please send us a direct message. If your group has an administrator in VINCE, we will transfer your request to be associated to them.

...

Multifactor Authentication

VINCE accounts require multifactor authentication for obvious security reasons. This requirement is part of the reason we recommend that each user has their own individual account, as opposed to a shared team account, as the team would have to securely share the MFA token as well.

VINCE currently offers a choice of authentication options:

Image Removed

Login first time - Multi-Factor Authentication Required

Image Removed

VINCE currently offers a choice

1. Time-based one-time passwords (TOTP) passwords as second factor authentication. To use TOTP, you need access to an app
   
   1. TOTP requires access to a third-party application, such as Google Authenticator, Duo, or LastPass Authenticator
   .
2. Short Message Service (SMS) text messages

Image Removed

Using TOTP

1. Select "TOTP"
2. The system generates an image that is scanned into your device, running an application, and displays a scan code on your screen
3. Scan the code image into your authentication application.  This action should generate a numeric code.A QR code will be generated that can be scanned using the authentication application of your choice
4. Enter that temporary password (or code).generated by the application
5. (Optional) Name that device, software or application, so you may easily access the correct code generator.Give your device a friendly name
   
   Image Modified
   
   
6. You will have two forms of confirmation your account has successfully enabled TOTP Multi-factor multifactor authentication on your account.:
   1. A green banner on the web
   2. Web page indicating success and displaying your " User Profile"
      Image Modified
      
      
   3. An email message confirming your MFA was successfully enabled.Image Removed

Using SMS

1. Select "SMS".
2. Enter the phone number you will use to receive text messages containing an authorization code.
   
   1. Use the International format as follows: + (country code) phone number
   2. If you have a United States number, please use +1 NPAXXX-XXX-XXXX
       (NPA: Numbering plan Area is also know as "area code")
      
      Image Modified
3.  Click "Submit".
4. Verify your account by entering the authorization code contained in the text message.sent as an SMS
   
   Image Modified
   
   
5. You will have two forms of confirmation that your account has successfully enabled SMS Multi-factor authentication on your account.multifactor authentication:
   1. Web page indicating success and displaying your User Profile.
      
      Image Modified
      
      

   2. An email message confirming your MFA was successfully enabled.Image Removed

...

Password Recovery

Because passwords can be forgotten, VINCE offers a If a user needs to recover their password, they can user the VINCE password recovery feature. This option can be completed by the user.

...

accessed by clicking "Forgot your password?"

...

1. The link to reset your password;
2. Telephone number to request assistance;
3. Email address to request assistance.

...

on the login page or clicking the previous link. CERT/CC analysts will review these requests and may reach out to you for confirmation or validation of the request.

If you need additional help, you can click the "Need help?" link that will share the following information:

If you forgot your password, you can reset your password.

If you lost your multi-factor authentication (MFA) device, you will need to contact us at +1 412-268-5800 or cert@cert.org to reset your account.

...

Image Removed

•  2FA required
•  Recover/reset account
•  Want to be anonymous? See FAQ, can report without creating account.

...

--- if not Will; maybe a separate page? ---

•  For vendors
•  Creating a vendor
•  Add user to vendor
•  Vendor administrator 

...