Submitting a case
Once a reporter has submitted a vulnerability report, they will receive an email with the VRF# (Vulnerability Reporting Form Number) as an acknowledgment of receipt of the report. At this point, the submission is placed in the "Pending" state, shown by the "Pending" tag within the report. Reporters can view their submitted reports that are in the "Pending" state by clicking on "My Vulnerability Reports" in the left menu bar.
If the coordinators have questions for the reporter before accepting the case for coordination (while it is still in the "Pending" state), we can comment directly on the VRF# with our questions. When this happens, the reporter will get an email stating that there was an update to their vulnerability report. They will need to log into VINCE and check their vulnerability report for the update.
If a reporter wants to share more information with the coordinators while their case is still pending, they can add comments or files directly to the VRF#. To do this, they need to select the VRF# within the "My Vulnerability Reports" page and scroll below their report to find the comment box and file upload area.
Being notified of a case
Your organization will be notified when you are added to an open vulnerability case in the following ways:
- An email sent to ?? notifying your organization that they have been added to an open vulnerability case
- (something else? a banner?)
Getting added to a case
If you have been told about an existing vulnerability case from a group already involved and believe that you should also be involved, you can contact the coordinators to be added to the case. From the "Inbox", click the button "New Message" and choose "Request for Vendor Access to a Case" from the "Why are you contacting us?" dropdown.
Researchers are typically added to the case by default and should not need to explicitly request access. If you do need to request access, you should follow the same steps outlined above.
Participating in the case discussion
The right bar within the Case Discussion will show the coordinators, reporter(s), and vendor organization(s) that are included in the case The coordinators will create a pinned post with relevant information that will stay at the top of the discussion
other comms: pointer to comms, private thread, PM to coordinator
Giving a vendor statement
vul note/disclosure - be aware of vul note, review draft, comment/feedback, update vendor status, be aware that vul note is published
from the vul note page...
Vulnerability Notes are the advisories CERT/CC publishes for most, but not all, cases.
be aware of new and Review vulnerability note
suggest changes/provide feedback
link to providing vendor status
know when published/updated
What parts of comms in vince remain unpublished, what is published
CVSS (FAQ), other stuff about vul notes