Versions Compared

Old Version 32

changes.mady.by.user Laurie Tyzenhaus

Saved on

compared with

New Version Current

changes.mady.by.user Eric Hatleback

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

VINCE Accounts

The VINCE coordination platform allows for anyone to anonymously report vulnerabilities. However, if you wish to participate in the coordination process, including discussions with vendors and researchers/reporters, then an account is required. We recommend that each individual on a team creates a VINCE account to participate on behalf of their organization. The account will provide the ability to view case information, post in the case discussion, provide vendor status and statement updates, and direct message CERT/CC. VINCE was designed and created to encourage the interaction between vendors and reporters, so creating an account and participating in the coordination efforts will increase cooperation, information sharing, and allow

Creating an Account

The overall process of obtaining a VINCE account is:

  1. Navigate to the VINCE website

Get an account

Everyone involved in the coordinated vulnerability disclosure process will want a VINCE account. Obtaining a VINCE account is easy!  Visit our web page and get started.

Creating an account

  1. Navigate to our VINCE page
  2. Click on "Create an Account", or go directly to this link
  3. Complete the VINCE signup form
  4. Watch for an email response granting your access.

Image Removed

Completing the VINCE form

  1. Enter a valid email address which you can access. This field is case-sensitive.
  2. Create a New Password with these requirements: (This field is case-sensitive.)
    1. minimum length is 8 characters
    2. Requires at least 1 number
    3. Requires at least 1 special character ("+" and "=" don't count)
    4. Requires uppercase letters
    5. Requires lowercase letters
  3. Password confirmation
  4. Preferred Display Name
    Note: this name is
    1. When filling out the form, please note that your Display Name will be visible to other VINCE users. It
    may only contain 1 space and may not contain special characters.
  5. First name
  6. Last name
  7. Company/Affiliation
  8. Job Title
  9. Click the box to agree to the terms of service.
  10. Click on Sign up

Complete VINCE form to obtain an account.Image Removed

Verify your account

When signing up for a VINCE account the user needs to provide a valid email address to receive the confirmation code to verify your account.

Once you receive the access code please

Email containing confirmation codeImage Removed

...

Account approval

Once you have submitted the confirmation code, your VINCE account needs to be approved.

...

Login first time - Multi-Factor Authentication Required

First-time loginImage Removed

VINCE currently offers a choice

...

    1. can be changed later in your account settings.
  2. Once your account has been approved and you can login, you will be able to select your method of 2FA


...

Vendor Association

If you are a researcher or the first employee from your vendor organization to create a VINCE account then your account is placed into a pending state for CERT/CC review and approval. Once approved, you will receive an email letting you know that you have been approved. You will still need to be associated with your organization in VINCE by a CERT/CC analyst. Please send us a direct message requesting to be associated with your organization and we will independently verify with your organization that the request is valid. If you are the first user for the vendor, we will additionally make you the administrator so that you may manage the group.

If you are a part of an existing vendor and your group administrator invited you directly to VINCE, then you should automatically be associated properly with your vendor and see any cases that they are involved in on your Dashboard. If you do not see cases and expect to, please send us a direct message. If your group has an administrator in VINCE, we will transfer your request to be associated with them to the admin.


...

Multifactor Authentication

VINCE accounts require multifactor authentication for obvious security reasons. This requirement is part of the reason we recommend that each user has their own individual account, as opposed to a shared team account, as the team would have to securely share the MFA token as well. VINCE previously allowed users to perform multifactor authentication with Short Message Service (SMS) text messages. However, since November 8, 2023, the SMS option has been disabled, and all multifactor authentication must be performed using time-based one-time passwords (TOTP). TOTP requires access to a third-party application, such as Google Authenticator, Duo, or LastPass Authenticator.

...

Using TOTP

  1. A QR code will be generated that can be scanned using the authentication application of your choice.

Select the multi-factor authentication methodImage Removed

TOTP

  1. Select TOTP
  2. The system generates an image that is scanned into your device, running an application ... and displays the scan code on your screen
  3. Scan the code into your authentication application.  This action should generate a code.
  4. Enter that temporary password (or code)generated by the application.
  5. (Optional) Name that device, software or application, so you may easily access the correct code generator.
    TOTP code to link your authorization application.Image RemovedGive your device a friendly name.

    TOTP Token to link app to VINCE for authenticationImage Added

  6. You will have two forms of confirmation that your account has successfully enabled TOTP Multi-factor multifactor authentication on your account.:
    1. A green banner on the web
    2. Web page indicating success and displaying your User Profile
      Image Removed(see below), and

      Image Added

    3. An email message
      Image Removed

SMS

...

  1. Use the International format as follows: + (country code) phone number
  2. If you have a United States number, please use +1 NPA-XXX-XXXX
     (NPA: Numbering plan Area a.k.a. area code)
    Image Removed

...

    1. confirming your MFA was successfully enabled.



...

Authentication reset requests

MFA Reset Requests

If a user needs to reset their MFA due to lost/new device, please use the MFA reset process. The user must first login using their name and password. When the MFA prompt appears, click the "Troubleshoot MFA" link and follow the instructions on resetting the MFA. Note that if a password reset is required, this must be completed prior to any request to reset MFA.

Image Added


The user will be required to provide a reason for the reset.

Image Added

Upon completing the form, follow the instructions in the email sent to the user. A VINCE analyst will receive the request and will reset the MFA within 1-3 business days.

Once the VINCE analyst has reset the MFA, the user will receive an automated email that their MFA has been reset. Upon logging in to VINCE, the user will be prompted to select a new MFA method.

Password Recovery

If a user needs to recover their password, they can user the VINCE password recovery feature. This can be accessed by clicking "Forgot your password?" on the login page or clicking the previous link. CERT/CC analysts will review these requests and may reach out to you for confirmation or validation of the request.

If you need additional help, you can click the "Need help?" link that will share the following information:

If you forgot your password, you can reset your password.

...

Password Recovery

Image Removed

  •  2FA required
  •  Recover/reset account
  •  Want to be anonymous? See FAQ, can report without creating account.

...

--- if not Will; maybe a separate page? ---

  •  For vendors
  •  Creating a vendor
  •  Add user to vendor
  •  Vendor administrator 


...