Versions Compared

Old Version 22

changes.mady.by.user user-8b192

Saved on

compared with

New Version Current

changes.mady.by.user user-8b192

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Vendors and reporters can expect a response from the CERT/CC within three days.

What

...

The VINCE platform does not require PGP for secure communications.  VINCE relies on account access controls and HTTPS to keep case discussions and messaging secure. Vendors and reporters are still able to upload and share PGP keys on their contact pages.

What type of case does the CERT/CC usually coordinate?

...

  • whether the vendor or maintainer has not replied in a reasonable time frame (typically about two weeks);whether the vendor was initially responsive, but then stopped responding or has stopped communicating (typically about two weeks of silence);
  • whether the vendor has fixed a critical issue, but did not clearly document the fix in a security advisory, news article, or changelog;release notes
  • whether the vulnerability affects multiple vendors, which would be difficult for an individual reporter to coordinate alone;
  • whether the vulnerability could cause extensive nation-wide or world-wide damage (for example, problems with internet infrastructure protocols like DNS and NTP);
  • whether communication between the reporter and vendor can benefit from third-party mediation
  • whether the reporter wishes to remain anonymous.

More information on this topic can be found on our wiki.

What happened to PGP email?

The VINCE platform does not require PGP for secure communications. This was an intentional choice. While PGP email is a lowest common transport for coordination, PGP email is error-prone, especially at scale. VINCE relies on account authorization and access controls uses HTTPS to keep case discussions and messaging secure. VINCE users are still able to upload and share PGP keys on their contact pages.

Can I still send email to the CERT/CC?

We prefer that you message us through VINCE, but you may still email us at cert@cert.org. Please continue to use the appropriate tracking number (such as VU#, VRF#, or VU#General-) in the subject of any email you send to us. Messages through the VINCE site will likely receive a faster response than email.

...

How do I use the API?

Please see the VINCE API section of the User Manual.