Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Madison Oliver

prefer verbs in headings for UX/workflow/action headings

example/idealized/common workflow, for a vendor

Table of Contents

Submitting a case

Once a reporter has submitted a vulnerability report, they will receive an email with the VRF# (Vulnerability Reporting Form Number) as an acknowledgment of receipt of the report. At this point, the submission is placed in the "Pending" state, shown by the "Pending" tag within the report. Reporters can view their submitted reports that are in the "Pending" state by clicking on "My Vulnerability Reports" in the left menu bar.


If you have been told about an existing vulnerability case from a group already involved and believe that you should also be involved, you can contact the coordinators to be added to the case. From the "Inbox", click the button "New Message" and choose "request Request for Vendor Access to a Case" from the "Why are you contacting us?" dropdown.

Researchers are typically added to the case by default and should not need to explicitly request access. If you do need to request access, you should follow the same steps outlined above.

Participating in the case discussion

When sharing in the case discussion, all parties are expected to abide by the Rules of Engagement and the Vulnerability Disclosure Policy.

The right bar within the Case Discussion will show the coordinators, reporter(s), and vendor organization(s) that are included in the case  The coordinators will create a pinned post with relevant information that will stay at the top of the discussion

other comms: pointer to comms, private thread, PM to coordinator


vul note/disclosure - be aware of vul note, review draft, comment/feedback, update vendor status, be aware that vul note is published

from the vul note page...

Vulnerability Notes are the advisories CERT/CC publishes for most, but not all, cases.

be aware of new and Review vulnerability note

suggest changes/provide feedback

link to providing vendor status

know when published/updated

What parts of comms in vince remain unpublished, what is published

CVSS (FAQ), other stuff about vul notes