| Table of Contents |
|---|
Submitting a case
A reporter can submit a vulnerability report by filling out the vulnerability reporting form at this address: https://kb.cert.org/vuls/vulcoordrequest/ . It is strongly recommended that you submit this report while logged into your VINCE account.
Once a reporter has submitted a vulnerability report, they will receive an email with the VRF# (Vulnerability Reporting Form Number) as an acknowledgment of receipt of the report. At this point, the submission is placed in the "Pending" state, shown by the "Pending" tag within the report. Reporters can view their submitted reports that are in the "Pending" state by clicking on "My Vulnerability Reports" in the left menu bar.
If the coordinators have questions for the reporter before accepting the case for coordination (while it is still in the "Pending" state), we they can comment directly on the VRF# with our their questions. When this happens, the reporter will get an email stating that there was an update to their vulnerability report. They will need to log into VINCE and check their vulnerability report for the update.
...
Being notified of a case
If your organization is not yet added to any cases, you will see the following message on your Dashboard:
"Welcome to VINCE! We currently do not have any active cases involving your organization. You can submit a new vulnerability report or contact us about your membership."
Your organization will be notified when you are added to an open vulnerability case by receiving an email. You will also be able to view the case on your Dashboard when you log into VINCE under "Your active cases".
...
If you have been told about an existing vulnerability case from a group already involved and believe that you should also be involved, you can contact the coordinators to be added to the case. To request access to a case:
- From the "Inbox", click the
...
- "New Message"
...
- button
- Choose "Request for Vendor Access to a Case" from the "Why are you contacting us?" dropdown
...
- Fill in additional details regarding why you believe you should be added to the case, including the tracking number for the case you are requesting access to
- Click "Send"
Researchers are typically added to the case by default and should not need to explicitly request access. If you do need to request access, you should follow the same steps outlined above.
...
The right bar within the Case Discussion will show the coordinators, reporter(s), and vendor organization(s) that are included in the case. The coordinators will create a pinned post with relevant information that will stay at the top of the discussion, and those added to the case are able to create posts or reply to posts. To create a post:
- Go to the Case Discussion and scroll to the bottom
- Type your post in the text field using appropriate Markdown for formatting
- Click "Submit"
It may be beneficial for you to also include your organization's internal tracking ID on case communications. To do this, please click "+Add tracking ID" on the right side of the Case Discussion page.
Using the inbox
The inbox can be used if anyone involved needs to send a private message to the coordinators regarding a case or a variety of other topics. To send a message, go :
- Go to the "Inbox" and click the "Private Message CERT/CC" button in the top right
...
- Select the subject for your message from the drop-down menu, type your message, then click "Send"
. These messages can only be seen by members of the CERT Coordination Center. The Inbox cannot be used to message the reporter or other vendors in a case.
...
The coordinators will typically share the draft vulnerability note with those involved prior to publishing the case. To review the draft vulnerability note, click the box at the top right of the Case Discussion
Publishing a Vulnerability Note
vul note/disclosure - be aware of vul note, review draft, comment/feedback, update vendor status, be aware that vul note is published
from the vul note page...
Vulnerability Notes are the advisories CERT/CC publishes for most, but not all, cases.
be aware of new and Review vulnerability note
suggest changes/provide feedback
link to providing vendor status
know when published/updated
What parts of comms in vince remain unpublished, what is published
CVSS (FAQ), other stuff about vul notes