Table of Contents |
---|
...
VINCE
...
Accounts
Welcome to the CERT/CC VINCE environment. The VINCE environment coordination platform allows for you anyone to anonymously report vulnerabilities! . However, if you wish to participate in the coordination process, including discussions with vendors and researchers/reporters, then an account is required. We recommend that each individual on a team creates a VINCE account to participate on behalf of their organization. The account will provide the ability to view case information, post in the case discussion, provide vendor status and statement updates, and direct message CERT/CC. VINCE was designed and created to encourage the interaction between vendors and reporters. A potential benefit is that multi-vendor coordination efforts may become more cooperative, with vendors sharing information on how to mitigate the vulnerability.
To report vulnerabilities anonymously, complete the "Vulnerability Reporting Form" at our web page (https://kb.cert.org/vuls/vulcoordrequest/) as shown below.
Getting an account
Everyone involved in the coordinated vulnerability disclosure process will want a VINCE account. The VINCE account will provide participants to watch and support to the coordination process. Obtaining a VINCE account is easy! Visit our web page (https://kb.cert.org/vince) and get started.
, so creating an account and participating in the coordination efforts will increase cooperation, information sharing, and allow
Creating an Account
...
The overall process of obtaining a VINCE account is:
- Navigate to the VINCE site. website
- Click on "Create an Account"., or go directly to this link
- Complete the VINCE signup form.Wait for an email response granting your access.
Completing the VINCE form
Please complete the form to create a VINCE account. The email address you provide will be your login username. The login username and password are case-sensitive.
- When filling out the form, please note that your Display Name will be
- Enter a valid email address which you can access. (This field is case-sensitive.)
- Create a New Password with these requirements: (This field is case-sensitive.)
- minimum length is 8 characters
- Requires at least 1 number
- Requires at least 1 special character ("+" and "=" don't count)
- Requires uppercase letters
- Requires lowercase letters
- Enter the same password for confirmation.
- Enter Preferred Display Name.
Note: this name is- visible to other VINCE users. It
- Enter First name.
- Enter Last name.
- Enter Company/Affiliation.
- Enter Job Title.
- Click the box "I agree to the terms of service" after reviewing the terms of service.
- Click on "Sign up".
Verify your account
When signing up for a VINCE account the user needs to provide a valid email address to receive the confirmation code to verify your account.
Once you receive the VINCE verification code please:
...
Account approval
Once you have submitted the confirmation code, your VINCE account needs to be approved.
VINCE coordinator reviews your account for approval.
Upon approval,
...
- can be changed later in your account settings.
- Once your account has been approved and you can login, you will be able to select your method of 2FA
...
Vendor Association
If you are a researcher or the first employee from your vendor organization to create a VINCE account then your account is placed into a pending state for CERT/CC review and approval. Once approved, you will receive an email letting you know that you have been approved. You will still need to be associated with your organization in VINCE by a CERT/CC analyst. Please send us a direct message requesting to be associated with your organization and we will independently verify with your organization that the request is valid. If you are the first user for the vendor, we will additionally make you the administrator so that you may manage the group.
If you are a part of an existing vendor and your group administrator invited you directly to VINCE, then you should already be associated properly with your vendor and see any cases that they are involved in on your Dashboard. If you do not see cases and expect to, please send us a direct message. If your group has an administrator in VINCE, we will transfer your request to be associated to them.
...
Multifactor Authentication
VINCE accounts require multifactor authentication for obvious security reasons. This requirement is part of the reason we recommend that each user has their own individual account, as opposed to a shared team account, as the team would have to securely share the MFA token as well.
VINCE currently offers a choice of authentication options:
Login first time - Multi-Factor Authentication Required
VINCE currently offers a choice
- Time-based one-time passwords (TOTP) passwords as second factor authentication. To use TOTP, you need access to an app
- TOTP requires access to a third-party application, such as Google Authenticator, Duo, or LastPass Authenticator
- Short Message Service (SMS) text messages
Info |
---|
CERT/CC recommends using TOTP as opposed to SMS multifactor authentication for VINCE accounts. Aside from the increased security that TOTP provides, there have been issues with various mobile carriers marking these SMS messages as spam, which prevents the user from ever receiving the message. If SMS is the only option for authentication, then users are encouraged to reach out to their provider directly for customer service if they run into issues. We recommend asking them to have the SMS short code block cleared for their account. |
Using TOTP
- Select "TOTP"
- The system generates an image that is scanned into your device, running an application, and displays a scan code on your screen
- Scan the code image into your authentication application. This action should generate a numeric code.A QR code will be generated that can be scanned using the authentication application of your choice
- Enter that temporary password (or code).generated by the application
- (Optional) Name that device, software or application, so you may easily access the correct code generator.Give your device a friendly name
- You will have two forms of confirmation your account has successfully enabled TOTP Multi-factor multifactor authentication on your account.:
- A green banner on the web
- Web page indicating success and displaying your " User Profile"
- An email message confirming your MFA was successfully enabled.
Using SMS
- Select "SMS".
- Enter the phone number you will use to receive text messages containing an authorization code.
- Use the International format as follows: + (country code) phone number
- If you have a United States number, please use +1 NPAXXX-XXX-XXXX
(NPA: Numbering plan Area is also know as "area code")
- Click "Submit".
- Verify your account by entering the authorization code contained in the text message.sent as an SMS
- You will have two forms of confirmation that your account has successfully enabled SMS Multi-factor authentication on your account.multifactor authentication:
- Web page indicating success and displaying your User Profile.
An email message confirming your MFA was successfully enabled.
- Web page indicating success and displaying your User Profile.
...
Password Recovery
Because passwords can be forgotten, VINCE offers a If a user needs to recover their password, they can user the VINCE password recovery feature. This option can be completed by the user.
...
accessed by clicking "Forgot your password?"
...
- The link to reset your password;
- Telephone number to request assistance;
- Email address to request assistance.
...
on the login page or clicking the previous link. CERT/CC analysts will review these requests and may reach out to you for confirmation or validation of the request.
If you need additional help, you can click the "Need help?" link that will share the following information:
If you forgot your password, you can reset your password.
If you lost your multi-factor authentication (MFA) device, you will need to contact us at +1 412-268-5800 or cert@cert.org to reset your account.
...
- 2FA required
- Recover/reset account
- Want to be anonymous? See FAQ, can report without creating account.
...
--- if not Will; maybe a separate page? ---
- For vendors
- Creating a vendor
- Add user to vendor
- Vendor administrator
...