• Created by user-8b192, last modified on 2020-03-26

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »



General Policy Questions

Why is CERT/CC moving to a collaborative vulnerability coordination process?

CERT/CC is moving to a collaborative vulnerability coordination process because it is more efficient, fosters goodwill and trust between those involved, and provides for a consolidation of relevant information into a single shared space. The change to a bus topology will ease communication between vendors when multiple parties are involved, lessen the requirement for a coordinator to be a moderator, and increase speed (and ideally the accuracy) of information transmission in multiparty vulnerability coordination efforts.

Why should I make a VINCE account?

We encourage both vendors and reporters to make a VINCE account so that they can be actively involved in the coordination of vulnerabilities reported to CERT/CC. Vendors without an account will be unable to view vulnerability reports shared with CERT/CC or participate in the coordination process. Reporters without an account will be unable to communicate with vendors or receive updates on the coordination status of submitted reports. Reporters without an account can create one after submission to gain access to their reports, as long as the account created uses the same email address as the email address provided in the submission.

What is the service-level agreement (SLA) between CERT/CC and VINCE users?

Vendors and reporters can expect a response from CERT/CC within three days.

What happened to PGP?

The VINCE platform does not require PGP for secure communications, because instead it relies on account access controls and HTTPS to keep case discussions and messaging secure. Vendors and reporters are still able to upload and share PGP keys on their contact page for interested parties.

What type of case does CERT/CC usually coordinate?

CERT/CC considers the following conditions when deciding to coordinate:

  • whether the vendor or maintainer has not replied in a reasonable time frame (typically about two weeks)
  • whether the vendor was initially responsive, but then stopped responding (typically about two weeks of silence)
  • whether the vendor has fixed a critical issue, but did not clearly document the fix in a security advisory, news article, or changelog
  • whether the vulnerability affects multiple vendors, which would be difficult for an individual reporter to coordinate alone
  • whether the vulnerability is extremely serious and could cause extensive nation-wide or world-wide damage (for example, problems with internet infrastructure protocols like DNS and NTP)
  • whether the reporter wishes to remain anonymous

More information on this topic can be found on our wiki.

Can I still send email to cert@cert.org?

We prefer that you message us through the VINCE site, but you may still email us at cert@cert.org. Please continue to use the appropriate tracking number (VRF# or VU#) in the subject of the email. Messages through the VINCE site will have a faster response time than email.

Who sees my private messages with CERT?

A direct private message sent to CERT/CC by an individual user can be seen by the user and CERT/CC analysts. A direct private message sent from CERT/CC to a vendor can be seen by CERT/CC analysts and all members of the vendor organization with associated VINCE accounts.

Who sees the posts in the case discussion?

Anyone participating in the case can see the posts in the case discussion. All coordinators, vendors, and participants are listed on the left-hand side of the case view.

Who sees my status and statement?

Anyone participating in the case can see your status and statement before we publish the vulnerability note. Once CERT/CC publishes the vulnerability note, the public will be able to view your status and statement.

What does "public" mean for my contact information?

Contact information marked "public" will be shared with participants that require it, including reporterss. Our eventual goal is to share contact information marked as "public" on our website so that it can be searched by the general public.

Can I private message a VINCE user other than CERT/CC?

No, you are unable to direct private-message another VINCE user. We encourage all relevant case discussion and coordination to happen within VINCE's case discussion page.

Who are the coordinators? Can there be more than one?

The coordinators will primarily be members of the vulnerability analysis team within CERT/CC. At this time, CERT/CC is the only coordinator in VINCE.

Vendor FAQ

Is CERT/CC changing how they coordinate vulnerabilities?

No. Although VINCE is a new platform upon which the coordination will occur, the same goals, practices, and policies remain in place for CERT/CC's coordinated vulnerability disclosure procedure.

What should I do if a reporter is not responding or participating in the discussion on VINCE?

If a reporter is not participating in the case, it is possible that the reporter chose not to create a VINCE account. CERT/CC also may not have contact information for the reporter, so it is possible that the reporter will not be involved in the case. If an unresponsive reporter is listed among the VINCE participants in the case discussion, CERT/CC may encourage the reporter to respond (perhaps by reaching out directly to the reporter).

How do I add my vulnerability status and submit an official statement?

Once CERT/CC has identified and added the vulnerabilities to the case, we will request the status and statement from each impacted vendor. At that time, you will be able to add a status (affected/unaffected) and an official statement from the case discussion page.

How do I change my vulnerability status or official statement?

You can update your status and modify your statement from the case discussion page (the same place that you provided your original status and statement).

How long do statement updates take to publish on a live vulnerability note?

CERT/CC will receive a notification when you update your statement. Once CERT/CC views and approves the update, the changes will be reflected immediately on the published vulnerability note.

How do I update my public contact information?

Use the "My Contact Info" page to edit your public contact information. Click "Edit My Contact Info" in the top right and toggle the "Public" switch to "Yes" to make specific contact information public. By default, all contact information that CERT/CC has for your organization is set to "Not Public".

How can I give VINCE access to someone else in my organization?

Each organization has a designated group administrator account. This account permits invitation to the organization's group, which in turn allows access to the organization's cases. If a group administrator is not set for your organization, send CERT/CC a private message with the email address of the desired group administrator, and we will make the change. If you are the group administrator, you may invite someone from the User Management Page by adding the new user's email address. This email address must match the email associated with the user's VINCE account. If an existing VINCE user is added to an organization, the user must log out and back in to gain access to the organization's cases. Users associated with an organization automatically have access to all of the organization's cases.

Can I control which cases specific people in my organization have access to?

Not at this time. We hope to add this feature in the near future.

Reporter FAQ

Can I participate anonymously?

You are welcome to participate anonymously by creating an account without any personally identifiable information. Only your chosen display name will appear within the case discussion, which means that your first and last name will not appear anywhere. To assist with anonymity, we suggest creating a VINCE account with a disposable or temporary email address and use a pseudonym for your display name.

Will the vendor know who I am?

The vendor and any other participant in the case will only be able to see the display name you choose when you create the VINCE account. This name can be changed at any time from the in Profile page.

What happens to reports submitted anonymously (i.e., without being linked to a VINCE account)?

Because a VINCE account is required in order to access case files, you will be unable to participate in the coordination process for reports that are not associated with a VINCE account. It is possible to create a VINCE account after submitting your report, which will grant access your initial report (and the ensuing coordination activities) as long as the email address listed on the report is the same as the one used to create the VINCE account.

What should I do if a vendor is not responding?

If a vendor is unresponsive, CERT/CC will attempt to elicit participation from the vendor, but CERT/CC can coordinate disclosure and publish a Vulnerability Note without the vendor's involvement.

What do the various case statuses mean?

The report status will be "pending" when you initially submit your vulnerability report. The status will change to "open" once we accept the report for coordination and assign an associated VU# tracking number. "Closed" indicates that CERT/CC has either not accepted the report for coordination, or coordination is complete. "Published" means that CERT/CC has published a vulnerability note associated with the case to kb.cert.org.

How can I add information to my submitted vulnerability report?

You can edit your initial vulnerability report until we have accepted or declined the report for coordination. Once the status of your initial vulnerability report leaves the "pending" status, you will be unable to edit your report. If you need to provide CERT/CC with more information, you can add a comment to the vulnerability report, post in the open case discussion, or send CERT/CC a direct private message.

How do I ask CERT/CC to reconsider a closed case?

You can add a comment to the closed VRF# report with any additional information that you think is relevant for reconsideration, including new vulnerability details or a change in vendor cooperation.

Will CERT/CC give me a CVE ID?

CERT/CC may assign CVEs to vulnerabilities that we actively coordinate, but typically only after vendor(s) have declined to do so. Reporters may always request a CVE ID by contacting the CVE Program directly using cveform.mitre.org, so if you are attempting to obtain a CVE ID for your report, we suggest starting there.

Can I add another researcher/reporter to a current case?

If another researcher should be added to the case, please send CERT/CC a direct private message with the user's VINCE account information, including the email address.

Who else can see my report?

If CERT/CC accepts the vulnerability report for coordination, any participant added to the case (including vendors) will be able to see your initial report.

What should I do if a reporter is not responding/participating?

If a reporter is not participating in the case, CERT/CC will do our best to encourage them to respond to your questions. What else?

What should I do if a vendor is not responding?

If a vendor is not participating in the case, CERT/CC will do our best to encourage them to respond but we will plan to publish a vulnerability note with or without their involvement.

API FAQ

How do I use the API

To be added...

  • No labels