The VINCE coordination platform allows for anyone to anonymously report vulnerabilities. However, if you wish to participate in the coordination process, including discussions with vendors and researchers/reporters, then an account is required. We recommend that each individual on a team creates a VINCE account to participate on behalf of their organization. The account will provide the ability to view case information, post in the case discussion, provide vendor status and statement updates, and direct message CERT/CC. VINCE was designed and created to encourage the interaction between vendors and reporters, so creating an account and participating in the coordination efforts will increase cooperation, information sharing, and allow
The overall process of obtaining a VINCE account is:
If you are a researcher or the first employee from your vendor organization to create a VINCE account then your account is placed into a pending state for CERT/CC review and approval. Once approved, you will receive an email letting you know that you have been approved. You will still need to be associated with your organization in VINCE by a CERT/CC analyst. Please send us a direct message requesting to be associated with your organization and we will independently verify with your organization that the request is valid. If you are the first user for the vendor, we will additionally make you the administrator so that you may manage the group.
If you are a part of an existing vendor and your group administrator invited you directly to VINCE, then you should automatically be associated properly with your vendor and see any cases that they are involved in on your Dashboard. If you do not see cases and expect to, please send us a direct message. If your group has an administrator in VINCE, we will transfer your request to be associated with them to the admin.
VINCE accounts require multifactor authentication for obvious security reasons. This requirement is part of the reason we recommend that each user has their own individual account, as opposed to a shared team account, as the team would have to securely share the MFA token as well.
VINCE currently offers a choice of authentication options:
CERT/CC recommends using TOTP as opposed to SMS multifactor authentication for VINCE accounts. Aside from the increased security that TOTP provides, there have been issues with various mobile carriers marking these SMS messages as spam, which prevents the user from ever receiving the message. If SMS is the only option for authentication, then users are encouraged to reach out to their provider directly for customer service if they run into issues. We recommend asking them to have the SMS short code block cleared for their account.
An email message confirming your MFA was successfully enabled
If a user needs to recover their password, they can user the VINCE password recovery feature. This can be accessed by clicking "Forgot your password?" on the login page or clicking the previous link. CERT/CC analysts will review these requests and may reach out to you for confirmation or validation of the request.
If you need additional help, you can click the "Need help?" link that will share the following information:
If you forgot your password, you can reset your password.
If you lost your multi-factor authentication (MFA) device, you will need to contact us at +1 412-268-5800 or firstname.lastname@example.org to reset your account.