CERT/CC is moving to a collaborative vulnerability coordination process because it is more efficient, it fosters goodwill and trust among those involved, and it consolidates relevant information into a single shared space. The change to a bus topology eases communication between parties when multiple vendors are involved, it lessens the requirement for a coordinator to be a moderator, and it increases speed of information transmission in multiparty vulnerability coordination efforts.
We encourage both vendors and reporters to make a VINCE account to facilitate active involvement in the coordination of vulnerabilities reported to CERT/CC. A vendor without an account will be unable to view vulnerability reports shared with CERT/CC or participate in the coordination process. A reporter without an account will be unable to communicate with vendors or receive updates on the coordination status of submitted reports. A reporter can create an account after submitting a vulnerability report to gain access to submitted reports, as long as the account is created using the same email address as the email address provided in the submitted report.
Vendors and reporters can expect a response from CERT/CC within three days.
The VINCE platform does not require PGP for secure communications. VINCE relies on account access controls and HTTPS to keep case discussions and messaging secure. Vendors and reporters are still able to upload and share PGP keys on their contact pages.
CERT/CC considers the following conditions when deciding to coordinate:
More information on this topic can be found on our wiki.
We prefer that you message us through VINCE, but you may still email us at cert@cert.org. Please continue to use the appropriate tracking number (VRF# or VU#) in the subject of any email you send to us. Messages through the VINCE site will have a faster response time than email.
A direct private message sent to CERT/CC by an individual user can be seen by the user and CERT/CC analysts. A direct private message sent from CERT/CC to a vendor can be seen by CERT/CC analysts and all members of the vendor organization with associated VINCE accounts.
Anyone participating in the case can see the posts in the case discussion. Additionally, any participants that are added after discussion has begun will have access to the full discussion forum, including previous posts that occurred before the new participants joined the discussion. All coordinators, vendors, and participants are listed on the left-hand side of the case view.
No, you are unable to direct private-message another VINCE user. We encourage all relevant case discussion and coordination to happen within VINCE's case discussion page.
The coordinators will primarily be members of the vulnerability analysis team within CERT/CC. At this time, CERT/CC is the only coordinator in VINCE.