Why is the CERT/CC moving to a more collaborative vulnerability coordination process?
The CERT/CC is moving to a collaborative vulnerability coordination process because it is more efficient, it fosters goodwill and trust among those involved, and it consolidates relevant information into a single shared space. The change to a bus topology eases communication between parties when multiple vendors are involved, it lessens the requirement for a coordinator to be a moderator, and it increases speed of information transmission in multiparty vulnerability coordination efforts.
Why should I make a VINCE account?
We encourage both vendors and reporters to make a VINCE account to facilitate active involvement in the coordination of vulnerabilities reported to the CERT/CC. A vendor without an account will be unable to view vulnerability reports shared with the CERT/CC or participate in the coordination process. A reporter without an account will be unable to communicate with vendors or receive updates on the coordination status of submitted reports. A reporter can create an account after submitting a vulnerability report to gain access to submitted reports, as long as the account is created using the same email address as the email address provided in the submitted report.
What is the service-level agreement (SLA) between the CERT/CC and VINCE users?
Vendors and reporters can expect a response from the CERT/CC within three days.
What happened to PGP email?
The VINCE platform does not require PGP for secure communications. VINCE relies on account access controls and HTTPS to keep case discussions and messaging secure. Vendors and reporters are still able to upload and share PGP keys on their contact pages.
What type of case does the CERT/CC usually coordinate?
The CERT/CC considers the following conditions when deciding to coordinate:
- whether the vendor or maintainer has not replied in a reasonable time frame (typically about two weeks);whether the vendor was initially responsive, but then stopped responding or has stopped communicating (typically about two weeks of silence);
- whether the vendor has fixed a critical issue, but did not clearly document the fix in a security advisory, news article, or changelog;release notes
- whether the vulnerability affects multiple vendors, which would be difficult for an individual reporter to coordinate alone;
- whether the vulnerability could cause extensive nation-wide or world-wide damage (for example, problems with internet infrastructure protocols like DNS and NTP);
- whether communication between the reporter and vendor can benefit from third-party mediation
- whether the reporter wishes to remain anonymous.
More information on this topic can be found on our wiki.
What happened to PGP email?
The VINCE platform does not require PGP for secure communications. This was an intentional choice. While PGP email is a lowest common transport for coordination, PGP email is error-prone, especially at scale. VINCE relies on account authorization and access controls uses HTTPS to keep case discussions and messaging secure. VINCE users are still able to upload and share PGP keys on their contact pages.
Can I still send email to the CERT/CC?
We prefer that you message us through VINCE, but you may still email us at firstname.lastname@example.org. Please continue to use the appropriate tracking number (such as VU#, VRF#, or VU#General-) in the subject of any email you send to us. Messages through the VINCE site will likely receive a faster response than email.
Who sees my private messages with the CERT/CC?
A direct private message sent to the CERT/CC by an individual user can be seen by the user and CERT/CC analysts. A direct private message sent from the CERT/CC to a vendor can be seen by CERT/CC analysts and all members of the vendor organization with associated VINCE accounts.
Who sees the posts in the case discussion?
Anyone participating in the case can see the posts in the case discussion. Additionally, any participants that are added after discussion has begun will have access to the full discussion forum, including previous posts that occurred before the new participants joined the discussion. All coordinators, vendors, and participants are listed on the left-hand side of the case view.
Can I private message a VINCE user other than the CERT/CC?
No, you are unable to direct private-message another VINCE user. We encourage all relevant case discussion and coordination to happen within VINCE's case discussion page.
Who are the Coordinators? Can there be more than one?
VINCE currently only supports one Coordinator role, and that Coordinator is the CERT/CC. Looking outside of VINCE, a vulnerability coordination case can have more than one coordinator. VINCE does support the addition of other Participants to a case, these Participants can be other trusted researchers or experts or members of a different coordination team than the CERT/CC.
What time zone does VINCE use?
VINCE operates in UTC. Currently, all dates and times are also shown in UTC. We intend to make this configurable on a per-user basis, and probably also shift to the ISO 8601 time and date format.