Getting a VINCE account!

The VINCE  allows for you to anonymously report vulnerabilities! However, if you wish to participate in the coordination process, including discussions with vendors and researchers/reporters, then an account is required. VINCE was designed and created to encourage the interaction between vendors and reporters.  An potential benefit is that multi-vendor coordination efforts may become more cooperative – with vendors sharing information on how to mitigate the vulnerability.

Getting an account

Everyone involved in the coordinated vulnerability disclosure process will want a VINCE account. Obtaining a VINCE account is easy!  Visit our web page (https://kb.cert.org/vince) and get started.

Creating an account

1. Navigate to the VINCE site.
2. Click on "Create an Account".
3. Complete the VINCE form.
4. Wait for an email response granting your access.

Completing the VINCE form

1. Enter a valid email address which you can access. This field is case-sensitive.
2. Create a New Password with these requirements: (This field is case-sensitive.)
   
   1. minimum length is 8 characters
   2. Requires at least 1 number
   3. Requires at least 1 special character ("+" and "=" don't count)
   4. Requires uppercase letters
   5. Requires lowercase letters
3. Enter the same password for confirmation.
4. Enter Preferred Display Name.
   Note: this name is visible to other VINCE users. It may only contain 1 space and may not contain special characters.
5. Enter First name.
6. Enter Last name.
7. Enter Company/Affiliation.
8. Enter Job Title.
9. Click the box "I agree to the terms of service" after reviewing the terms of service.
10. Click on "Sign up".

Verify your account

When signing up for a VINCE account the user needs to provide a valid email address to receive the confirmation code to verify your account.

Once you receive the access code please:

1. Enter the code into the form
   
   
   
   
2. Click "Submit".
   
   

Account approval

Once you have submitted the confirmation code, your VINCE account needs to be approved.

1. VINCE coordinator reviews your account for approval.
2. Upon approval,
   
   1. You will receive an email indicating your account has been approved and you are directed to kb.cert.org/vince to log on.
      
      
      
   2. If you have your browser open and the approval came quickly, you may also have a popup box indicating you can now login.
      
      
   

Login first time - Multi-Factor Authentication Required

VINCE currently offers a choice

1. Time-based one-time (TOTP) passwords as second factor authentication. To use TOTP, you need access to an app such as Google Authenticator, Duo, or LastPass Authenticator.
2. Short Message Service (SMS) text messages

TOTP

1. Select "TOTP"
2. The system generates an image that is scanned into your device, running an application, and displays a scan code on your screen
3. Scan the code image into your authentication application.  This action should generate a numeric code.
4. Enter that temporary password (or code).
5. (Optional) Name that device, software or application, so you may easily access the correct code generator.
   
   
   
   
6. You will have two forms of confirmation your account has successfully enabled TOTP Multi-factor authentication on your account.
   1. Web page indicating success and displaying your "User Profile"
      
      
      
   2. An email message
      

SMS

1. Select "SMS".
2. Enter the phone number you will use to receive text messages containing an authorization code.
   
   1. Use the International format as follows: + (country code) phone number
   2. If you have a United States number, please use +1 NPA-XXX-XXXX
       (NPA: Numbering plan Area is also know as "area code")
      
3.  Click "Submit".
4. Verify your account by entering the authorization code contained in the text message.
   
   
   
   
5. You will have two forms of confirmation your account has successfully enabled SMS Multi-factor authentication on your account.
   1. Web page indicating success and displaying your User Profile.
      
      
      
      

   2. An email message.
      
      

Password Recovery

Because passwords can be forgotten, VINCE offers a password recovery feature. This option can be completed by the user.

1. Failed login attempt.
   1. A failed login attempt will display a reminder that the user email address and password are case sensitive.
   2. Within this box are two options:
      
      1. 1. "Forgot your password?"
      2. 2. "Signup for a VINCE account".
      
      
      
      
      
2. VINCE Password Reset.
   1. Enter the email address for a password reset.
   2.  Click "Submit".
      
      
      
      
   3. Or, Click "Need help?"
   4. Clicking on "Need help?" will display the VINCE Account Help providing:
      1. The link to reset your password;
      2. Telephone number to request assistance;
      3. Email address to request assistance.
      
      
      
      
      
3. If you have entered your Email address and clicked on "Submit" in the VINCE Password Recovery form, you should receive a VINCE generated email message.
   
   1.  Your email should have a message with a verification code.
      
      
      1. If you have not received an email, please check your spam folder
      2. Go back and re-enter the email address.
      3. If your email address has changed, please use the VINCE Account Help to get your current email address updated in the VINCE system.
         
         
   2. Enter the verification "Code".
   3. Enter the "New Password" (password requirements are the same).
   4. "Please re-enter Password".
   5. Click on "Submit".
      
      
      
      
   6. VINCE will respond with Password Reset Complete message .
   7. Click the "Login" button to login in with the new password.

• 2FA required
• Recover/reset account
• Want to be anonymous? See FAQ, can report without creating account.

--- if not Will; maybe a separate page? ---

• For vendors
• Creating a vendor
• Add user to vendor
• Vendor administrator