Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Before the Case Discussion

Submitting a case

A reporter can submit a vulnerability report by filling out the vulnerability reporting form at this address: https://kb.cert.org/vuls/vulcoordrequest/ . It is strongly recommended that you submit this report while logged into your VINCE account.

...

If a reporter wants to share more information with the coordinators while their case is still pending, they can add comments or files directly to the VRF#. To do this, they need to select the VRF# within the "My Vulnerability Reports" page and scroll below their report to find the comment box and file upload area.

...

Getting notified of a case

If your organization is not yet added to any cases, you will see the following message on your Dashboard:

...

Your organization will be notified when you are added to an open vulnerability case by receiving an email. You will also be able to view the case on your Dashboard when you log into VINCE under "Your active cases".

Using the inbox

The inbox can be used if anyone involved needs to send a private message to the coordinators regarding a case or a variety of other topics. To send a message:

  1. Go to the "Inbox" and click the "Private Message CERT/CC" button in the top right
  2. Select the subject for your message from the drop-down menu, type your message, then click "Send"

These messages can only be seen by members of the CERT Coordination Center. The Inbox cannot be used to message the reporter or other vendors in a case.

Getting added to a case

If you have been told about an existing vulnerability case from a group already involved and believe that you should also be involved, you can contact the coordinators to be added to the case. To request access to a case:

...

Researchers are typically added to the case by default and should not need to explicitly request access. If you do need to request access, you should follow the same steps outlined above.

Within the Case Discussion

Participating in the case discussion

When you first join a case, you will see a banner at the top saying, "Reminder! The coordination of this case is subject to our Vulnerability Disclosure Policy." When sharing in the case discussion, all parties are expected to abide by the Rules of Engagement and the Vulnerability Disclosure Policy.

...

It may be beneficial for you to also include your organization's internal tracking ID on case communications. To do this, please click "+Add tracking ID" on the right side of the Case Discussion page.

Using the inbox

The inbox can be used if anyone involved needs to send a private message to the coordinators regarding a case or a variety of other topics. To send a message:

  1. Go to the "Inbox" and click the "Private Message CERT/CC" button in the top right
  2. Select the subject for your message from the drop-down menu, type your message, then click "Send"

These messages can only be seen by members of the CERT Coordination Center. The Inbox cannot be used to message the reporter or other vendors in a case.

Uploading or downloading an attachment

All of the attachments on a case are available at the bottom of the right bar under the "Documents" section. To upload an attachment:

...

To download the attachment, click the file name.

Giving a vendor status and statement

To provide a vendor status of Affected/Unaffected/Unknown that will be included in the final publication:

...

  1. Click the same center box that you used to provide your vendor status that now says "Status submitted"
  2. Change the vendor status dropdown as needed
  3. Check the box for "Share status and statement pre-publication" if needed
  4. Type your statement in the Case Statement text box
  5. Include any applicable references in the Case References text box
  6. Any additional information that the coordinators want to include will be included in the CERT Addendum text box
  7. Click "Save" and your statement will go to the coordinators for approval

Reviewing a Vulnerability Note

The coordinators will typically share the draft vulnerability note with those involved prior to publishing the case. The top right box in the Case Discussion displays the "Expected Date Public". When a draft vulnerability note becomes available, that box will include a link that says "View the draft vulnerability note". Click this link to view the draft note, and share any comments, questions, or concerns regarding the draft with the coordinators in either the Case Discussion or as a private message in the Inbox.

...