General Policy Questions
Why is CERT/CC moving to a collaborative vulnerability coordination process?
CERT/CC is moving to a collaborative vulnerability coordination process because it is more efficient, fosters goodwill and trust between those involved, and provides for a consolidation of relevant information into a single shared space. The change to a bus topology will ease communication between vendors when multiple parties are involved, lessen the requirement for a coordinator to be a moderator, and increase speed (and ideally the accuracy) of information transmission in multiparty vulnerability coordination efforts.
Why should I make a VINCE account?
We encourage both vendors and reporters to make a VINCE account so that they can be actively involved in the coordination of vulnerabilities reported to CERT/CC. Vendors without an account will be unable to view vulnerability reports shared with CERT/CC or participate in the coordination process. Reporters without an account will be unable to communicate with vendors or receive updates on the coordination status of submitted reports. Reporters without an account can create one after submission to gain access to their reports, as long as the account created uses the same email address as the email address provided in the submission.
What is the service-level agreement (SLA) between CERT/CC and VINCE users?
Vendors and reporters can expect a response from CERT/CC within three days.
What happened to PGP email?
The VINCE platform does not require PGP for secure communications, because instead it relies on account access controls and HTTPS to keep case discussions and messaging secure. Vendors and reporters are still able to upload and share PGP keys on their contact page for interested parties.
What type of case does CERT/CC usually coordinate?
CERT/CC considers the following conditions when deciding to coordinate:
- whether the vendor or maintainer has not replied in a reasonable time frame (typically about two weeks)
- whether the vendor was initially responsive, but then stopped responding (typically about two weeks of silence)
- whether the vendor has fixed a critical issue, but did not clearly document the fix in a security advisory, news article, or changelog
- whether the vulnerability affects multiple vendors, which would be difficult for an individual reporter to coordinate alone
- whether the vulnerability is extremely serious and could cause extensive nation-wide or world-wide damage (for example, problems with internet infrastructure protocols like DNS and NTP)
- whether the reporter wishes to remain anonymous
More information on this topic can be found on our wiki.
Can I still send email to email@example.com?
We prefer that you message us through the VINCE site, but you may still email us at firstname.lastname@example.org. Please continue to use the appropriate tracking number (VRF# or VU#) in the subject of the email. Messages through the VINCE site will have a faster response time than email.
Who sees my private messages with CERT?
A direct private message sent to CERT/CC by an individual user can be seen by the user and CERT/CC analysts. A direct private message sent from CERT/CC to a vendor can be seen by CERT/CC analysts and all members of the vendor organization with associated VINCE accounts.
Who sees the posts in the case discussion?
Anyone participating in the case can see the posts in the case discussion. All coordinators, vendors, and participants are listed on the left-hand side of the case view.
Who sees my status and statement?
Anyone participating in the case can see your status and statement before we publish the vulnerability note. Once CERT/CC publishes the vulnerability note, the public will be able to view your status and statement.
What does "public" mean for my contact information?
Contact information marked "public" will be shared with participants that require it, including reporterss. Our eventual goal is to share contact information marked as "public" on our website so that it can be searched by the general public.
Can I private message a VINCE user other than CERT/CC?
No, you are unable to direct private-message another VINCE user. We encourage all relevant case discussion and coordination to happen within VINCE's case discussion page.
Who are the coordinators? Can there be more than one?
The coordinators will primarily be members of the vulnerability analysis team within CERT/CC. At this time, CERT/CC is the only coordinator in VINCE.