Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We encourage both vendors and reporters to make a VINCE account to facilitate active involvement in the coordination of vulnerabilities reported to the CERT/CC. A vendor without an account will be unable to view vulnerability reports shared with the CERT/CC or participate in the coordination process. A reporter without an account will be unable to communicate with vendors or receive updates on the coordination status of submitted reports.  A reporter can create an account after submitting a vulnerability report to gain access to submitted reports, as long as the account is created using the same email address as the email address provided in the submitted report.

My VINCE account has been associated with the proper vendor group, why can't I access my cases?

Log out and back in to VINCE.

What is the service-level agreement (SLA) between the CERT/CC and VINCE users?

Vendors and reporters can expect a response from the CERT/CC within three days.

What happened to PGP email?

The VINCE platform does not require PGP for secure communications.  VINCE relies on account access controls and HTTPS to keep case discussions and messaging secure. Vendors and reporters are still able to upload and share PGP keys on their contact pages.

What type of case does the CERT/CC usually coordinate?

...

More information on this topic can be found on our wiki.

What happened to PGP email?

The VINCE platform does not require PGP for secure communications. This was an intentional choice. While PGP email is a lowest common transport for coordination, PGP email is error-prone, especially at scale. VINCE relies on account authorization and access controls uses HTTPS to keep case discussions and messaging secure. VINCE users are still able to upload and share PGP keys on their contact pages.

Can I still send email to the CERT/CC?

...

How do I use the API?

Please see the VINCE API section of the User Manual.