Why is the CERT/CC moving to a collaborative vulnerability coordination process?

The CERT/CC is moving to a collaborative vulnerability coordination process because it is more efficient, it fosters goodwill and trust among those involved, and it consolidates relevant information into a single shared space. The change to a bus topology eases communication between parties when multiple vendors are involved, it lessens the requirement for a coordinator to be a moderator, and it increases speed of information transmission in multiparty vulnerability coordination efforts.

...

We encourage both vendors and reporters to make a VINCE account to facilitate active involvement in the coordination of vulnerabilities reported to the CERT/CC. A vendor without an account will be unable to view vulnerability reports shared with CERT/CC or participate in the coordination process. A reporter without an account will be unable to communicate with vendors or receive updates on the coordination status of submitted reports.  A reporter can create an account after submitting a vulnerability report to gain access to submitted reports, as long as the account is created using the same email address as the email address provided in the submitted report.

What is the service-level agreement (SLA) between the CERT/CC and VINCE users?

Vendors and reporters can expect a response from CERT/CC within three days.

...