Versions Compared

Old Version 6

changes.mady.by.user Eric Hatleback

Saved on

compared with

New Version 7

changes.mady.by.user Eric Hatleback

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

CERT/CC is moving to a collaborative vulnerability coordination process because it is more efficient, it fosters goodwill and trust between among those involved, and provides for a consolidation of it consolidates relevant information into a single shared space. The change to a bus topology will ease eases communication between vendors parties when multiple parties vendors are involved, lessen it lessens the requirement for a coordinator to be a moderator, and increase speed (and ideally the accuracy) it increases speed of information transmission in multiparty vulnerability coordination efforts.

...

We encourage both vendors and reporters to make a VINCE account so that they can be actively involved to facilitate active involvement in the coordination of vulnerabilities reported to CERT/CC. Vendors A vendor without an account will be unable to view vulnerability reports shared with CERT/CC or participate in the coordination process. Reporters A reporter without an account will be unable to communicate with vendors or receive updates on the coordination status of submitted reports. Reporters without   A reporter can create an account can create one after submission after submitting a vulnerability report to gain access to their submitted reports, as long as the account is created uses using the same email address as the email address provided in the submissionsubmitted report.

What is the service-level agreement (SLA) between CERT/CC and VINCE users?

...

The VINCE platform does not require PGP for secure communications, because instead it .  VINCE relies on account access controls and HTTPS to keep case discussions and messaging secure. Vendors and reporters are still able to upload and share PGP keys on their contact page for interested partiespages.

What type of case does CERT/CC usually coordinate?

...

  • whether the vendor or maintainer has not replied in a reasonable time frame (typically about two weeks);
  • whether the vendor was initially responsive, but then stopped responding (typically about two weeks of silence);
  • whether the vendor has fixed a critical issue, but did not clearly document the fix in a security advisory, news article, or changelog;
  • whether the vulnerability affects multiple vendors, which would be difficult for an individual reporter to coordinate alone;
  • whether the vulnerability is extremely serious and could cause extensive nation-wide or world-wide damage (for example, problems with internet infrastructure protocols like DNS and NTP);
  • whether the reporter wishes to remain anonymous.

More information on this topic can be found on our wiki.

...

We prefer that you message us through the VINCE site, but you may still email us at cert@cert.org. Please continue to use the appropriate tracking number (VRF# or VU#) in the subject of the any email you send to us. Messages through the VINCE site will have a faster response time than email.

...

Anyone participating in the case can see the posts in the case discussion. Additionally, any participants that are added after discussion has begun will have access to the full discussion forum, including previous posts that occurred before the new participants joined the discussion.  All coordinators, vendors, and participants are listed on the left-hand side of the case view.

...