user-30e7f found this page in the internal wiki. Should any of it be included here? https://wiki-int.sei.cmu.edu/confluence/display/VulTeam/Vendor+FAQ

Vendor FAQ

Is CERT/CC changing how they coordinate vulnerabilities?

No. Although VINCE is a new platform upon which the coordination will occur, the same goals, practices, and policies remain in place for CERT/CC's coordinated vulnerability disclosure procedure.

What should I do if a reporter is not responding or participating in the discussion on VINCE?

If a reporter is not participating in the case, it is possible that the reporter chose not to create a VINCE account. CERT/CC also may not have contact information for the reporter, so it is possible that the reporter will not be involved in the case. If an unresponsive reporter is listed among the VINCE participants in the case discussion, CERT/CC may encourage the reporter to respond (perhaps by reaching out directly to the reporter).

How do I add my vulnerability status and submit an official statement?

Once CERT/CC has identified and added the vulnerabilities to the case, we will request the status and statement from each impacted vendor. At that time, you will be able to add a status (affected/unaffected) and an official statement from the case discussion page.

Who sees my status and statement?

Anyone participating in the case can see your status and statement before we publish the vulnerability note. Once CERT/CC publishes the vulnerability note, the public will be able to view your status and statement.

How do I change my vulnerability status or official statement?

You can update your status and modify your statement from the case discussion page (the same place that you provided your original status and statement).

How long do statement updates take to publish on a live vulnerability note?

CERT/CC will receive a notification when you update your statement. Once CERT/CC views and approves the update, the changes will be reflected immediately on the published vulnerability note.

What does "public" mean for my contact information?

Contact information marked "public" will be shared with participants that require it, including reporters. Our eventual goal is to share contact information marked as "public" on our website so that it can be searched by the general public.

How do I update my public contact information?

Use the "My Contact Info" page to edit your public contact information. Click "Edit My Contact Info" in the top right and toggle the "Public" switch to "Yes" to make specific contact information public. By default, all contact information that CERT/CC has for your organization is set to "Not Public".

How can I give VINCE access to someone else in my organization?

Each organization has a designated group administrator account. This account permits invitation to the organization's group, which in turn allows access to the organization's cases. If a group administrator is not set for your organization, send CERT/CC a private message with the email address of the desired group administrator, and we will make the change. If you are the group administrator, you may invite someone from the User Management Page by adding the new user's email address. This email address must match the email associated with the user's VINCE account. If an existing VINCE user is added to an organization, the user must log out and back in to gain access to the organization's cases. Users associated with an organization automatically have access to all of the organization's cases.

Can I control which cases specific people in my organization have access to?

Not at this time. We hope to add this feature in the near future.