Getting a VINCE account
The VINCE allows for you to anonymously report vulnerabilities! However, if you wish to participate in the coordination process, including discussions with vendors and researchers/reporters, then an account is required. VINCE was designed and created to encourage the interaction between vendors and reporters. An potential benefit is that multi-vendor coordination efforts may become more cooperative – with vendors sharing information on how to mitigate the vulnerability.
Getting an account
Everyone involved in the coordinated vulnerability disclosure process will want a VINCE account. Obtaining a VINCE account is easy! Visit our web page (https://kb.cert.org/vince) and get started.
Creating an account
- Navigate to the VINCE site.
- Click on "Create an Account".
- Complete the VINCE form.
- Wait for an email response granting your access.
Completing the VINCE form
- Enter a valid email address which you can access. This field is case-sensitive.
- Create a New Password with these requirements: (This field is case-sensitive.)
- minimum length is 8 characters
- Requires at least 1 number
- Requires at least 1 special character ("+" and "=" don't count)
- Requires uppercase letters
- Requires lowercase letters
- Enter the same password for confirmation.
- Enter Preferred Display Name.
Note: this name is visible to other VINCE users. It may only contain 1 space and may not contain special characters. - Enter First name.
- Enter Last name.
- Enter Company/Affiliation.
- Enter Job Title.
- Click the box "I agree to the terms of service" after reviewing the terms of service.
- Click on "Sign up".
Verify your account
When signing up for a VINCE account the user needs to provide a valid email address to receive the confirmation code to verify your account.
Once you receive the access code please:
- Enter the code into the form
- Click "Submit".
Account approval
Once you have submitted the confirmation code, your VINCE account needs to be approved.
- VINCE coordinator reviews your account for approval.
- Upon approval,
- You will receive an email indicating your account has been approved and you are directed to kb.cert.org/vince to log on.
- If you have your browser open and the approval came quickly, you may also have a popup box indicating you can now login.
- You will receive an email indicating your account has been approved and you are directed to kb.cert.org/vince to log on.
Login first time - Multi-Factor Authentication Required
VINCE currently offers a choice
- Time-based one-time (TOTP) passwords as second factor authentication. To use TOTP, you need access to an app such as Google Authenticator, Duo, or LastPass Authenticator.
- Short Message Service (SMS) text messages
TOTP
- Select "TOTP"
- The system generates an image that is scanned into your device, running an application, and displays a scan code on your screen
- Scan the code image into your authentication application. This action should generate a numeric code.
- Enter that temporary password (or code).
- (Optional) Name that device, software or application, so you may easily access the correct code generator.
- You will have two forms of confirmation your account has successfully enabled TOTP Multi-factor authentication on your account.
- Web page indicating success and displaying your "User Profile"
- An email message confirming your MFA was successfully enabled.
- Web page indicating success and displaying your "User Profile"
SMS
- Select "SMS".
- Enter the phone number you will use to receive text messages containing an authorization code.
- Use the International format as follows: + (country code) phone number
- If you have a United States number, please use +1 NPA-XXX-XXXX
(NPA: Numbering plan Area is also know as "area code")
- Click "Submit".
- Verify your account by entering the authorization code contained in the text message.
- You will have two forms of confirmation your account has successfully enabled SMS Multi-factor authentication on your account.
- Web page indicating success and displaying your User Profile.
An email message confirming your MFA was successfully enabled.
- Web page indicating success and displaying your User Profile.
Password Recovery
Because passwords can be forgotten, VINCE offers a password recovery feature. This option can be completed by the user.
- Failed login attempt.
- A failed login attempt will display a reminder that the user email address and password are case sensitive.
- Within this box are two options:
- 1. "Forgot your password?"
- 2. "Signup for a VINCE account".
- VINCE Password Reset.
- Enter the email address for a password reset.
- Click "Submit".
- Or, Click "Need help?"
- Clicking on "Need help?" will display the VINCE Account Help providing:
- The link to reset your password;
- Telephone number to request assistance;
- Email address to request assistance.
- If you have entered your Email address and clicked on "Submit" in the VINCE Password Recovery form, you should receive a VINCE generated email message.
- Your email should have a message with a verification code.
- If you have not received an email, please check your spam folder
- Go back and re-enter the email address.
- If your email address has changed, please use the VINCE "Account Help" to get your current email address updated in the VINCE system.
- Enter the verification "Code".
- Enter the "New Password" (password requirements are the same).
- "Please re-enter Password".
- Click on "Submit".
- VINCE will respond with Password Reset Complete message .
- Click the "Login" button to login in with the new password.
- Your email should have a message with a verification code.
- 2FA required
- Recover/reset account
- Want to be anonymous? See FAQ, can report without creating account.
--- if not Will; maybe a separate page? ---
- For vendors
- Creating a vendor
- Add user to vendor
- Vendor administrator