Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A reporter can submit a vulnerability report by filling out the vulnerability reporting form at this address: https://kb. cert.org/vuls/vulcoordrequest/ . It is strongly recommended that you submit this report while logged into your VINCE account.

Once a reporter has submitted a vulnerability report, they will receive an email with the VRF# (Vulnerability Reporting Form Number) as an acknowledgment of receipt of the report. At this point, the submission is placed in the "Pending" state, shown by the "Pending" tag within the report. Reporters can view their submitted reports that are in the "Pending" state by clicking on "My Vulnerability Reports" in the left menu bar.

If the coordinators have questions for the reporter before accepting the case for coordination (while it is still in the "Pending" state), they can comment directly on the VRF# with their questions. When this happens, the reporter will get an email stating that there was an update to their vulnerability report. They will need to log into VINCE and check their vulnerability report for the update.

If a reporter wants to share more information with the coordinators while their case is still pending, they can add comments or files directly to the VRF#. To do this, they need to select the VRF# within the "My Vulnerability Reports" page and scroll below their report to find the comment box and file upload area.

...

The inbox can be used if anyone involved needs to send a private message to the coordinators regarding a case or a variety of other topics. To send a message, use this link to perform the steps below:

  1. Go to the "Inbox" and click the "Private Message CERT/CC" button in the top right
  2. Select the subject for your message from the drop-down menu, type your message, then click "Send"

...

If you have been told about an existing vulnerability case from a group already involved and believe that you should also be involved, you can contact the coordinators to be added to the case. To request access to a case, use this link to perform the steps below:

  1. From the "Inbox", click the "New Message" button
  2. Choose "Request for Vendor Access to a Case" from the "Why are you contacting us?" dropdown
  3. Fill in additional details regarding why you believe you should be added to the case, including the tracking number for the case you are requesting access to
  4. Click "Send"

...

The right bar within the Case Discussion will show the coordinators, reporter(s), and vendor organization(s) that are included in the case. The coordinators will create a pinned post with relevant information that will stay at the top of the discussion, and those added to the case are able to create posts or reply to posts. To create a post:

  1. Choose the corresponding case under "Cases"
  2. Go to the Case Discussion and scroll to the bottom
  3. Type your post in the text field using appropriate Markdown for formatting
  4. Click "Submit"

...

All of the attachments on a case are available at the bottom of the right bar under the "Documents" section in a Case Discussion. To upload an attachment:

...

To provide a vendor status of Affected/Unaffected/Unknown that will be included in the final publication:

  1. Log into VINCE, navigate to the corresponding case under "Cases"
  2. Click the drop-down in the center box at the top of the Case Discussion "# Vulnerability Identified"
    1. If this is the first time you are providing a vendor statement, the box will say "Action Required" and state the number of vulnerabilities identified
  3. Choose Affected, Unaffected, or Unknown, and click "Submit"
  4. At this point, it will go to the coordinators for approval

To provide a vendor statement that will be included in the final publication:

  1. Log into VINCE, navigate to the corresponding case under "Cases"
  2. Click the same center box that you used to provide your the vendor status that now says "Status submitted"
  3. Change the vendor status dropdown as needed
  4. Check the box for "Share status and statement pre-publication" if needed
  5. Type your statement in the Case Statement text box
  6. Include any applicable references in the Case References text box
  7. Any additional information that the coordinators want to include will be included in the CERT Addendum text box
  8. Click "Save" and your statement will go to the coordinators for approval

...