We encourage both vendors and reporters to make a VINCE account to facilitate active involvement in the coordination of vulnerabilities reported to the CERT/CC. A vendor without an account will be unable to view vulnerability reports shared with the CERT/CC or participate in the coordination process. A reporter without an account will be unable to communicate with vendors or receive updates on the coordination status of submitted reports. A reporter can create an account after submitting a vulnerability report to gain access to submitted reports, as long as the account is created using the same email address as the email address provided in the submitted report.
My VINCE account has been associated with the proper vendor group, why can't I access my cases?
Log out and back in to VINCE.
What is the service-level agreement (SLA) between the CERT/CC and VINCE users?
- whether the vendor or maintainer has not replied in a reasonable time frame (typically about two weeks);whether the vendor was initially responsive, but then stopped responding or has stopped communicating (typically about two weeks of silence);
- whether the vendor has fixed a critical issue, but did not clearly document the fix in a security advisory, news article, or changelog;release notes
- whether the vulnerability affects multiple vendors, which would be difficult for an individual reporter to coordinate alone;
- whether the vulnerability could cause extensive nation-wide or world-wide damage (for example, problems with internet infrastructure protocols like DNS and NTP);
- whether communication between the reporter and vendor can benefit from third-party mediation
- whether the reporter wishes to remain anonymous.
More information on this topic can be found on our wiki.
We prefer that you message us through VINCE, but you may still email us at firstname.lastname@example.org. Please continue to use the appropriate tracking number (such as VU#, VRF#, or VU#General-) in the subject of any email you send to us. Messages through the VINCE site will likely receive a faster response than email.