I don't want a VINCE account!
For whatever reason you don't want an account, you may still report vulnerabilities – anonymously! However, if you want to participate in the coordination process, including discussions with vendors and researchers/reporters, then an account is required. VINCE was designed and created to encourage the interaction between vendors and reporters. An potential benefit is that multi-vendor coordination efforts may become more cooperative – with vendors sharing information on how to mitigate the vulnerability.
Getting an account
Everyone involved in the coordinated vulnerability disclosure process will want a VINCE account. Obtaining a VINCE account is easy! Visit our web page (kb.cert.org/vince) and get started.
Creating an account
- Navigate to our VINCE site
- Click on "Create an Account"
- Complete the VINCE form
- Watch for an email response granting your access.
Completing the VINCE form
- Enter a valid email address which you can access. This field is case-sensitive.
- Create a New Password with these requirements: (This field is case-sensitive.)
- minimum length is 8 characters
- Requires at least 1 number
- Requires at least 1 special character ("+" and "=" don't count)
- Requires uppercase letters
- Requires lowercase letters
- Password confirmation
- Preferred Display Name
Note: this name is visible to other VINCE users. It may only contain 1 space and may not contain special characters. - First name
- Last name
- Company/Affiliation
- Job Title
- Click the box to agree to the terms of service.
- Click on Sign up
Verify your account
When signing up for a VINCE account the user needs to provide a valid email address to receive the confirmation code to verify your account.
Once you receive the access code please
- Enter the code into the form
- Click submit.
Account approval
Once you have submitted the confirmation code, your VINCE account needs to be approved.
- VINCE coordinator reviews your account for approval.
- Upon approval,
- You will receive an email indicating your account has been approved and you are directed to kb.cert.org/vince to log on.
- If you have your browser open and the approval came quickly, you may also have a popup box indicating you can not login.
Login first time - Multi-Factor Authentication Required
VINCE currently offers a choice
- Time-based one-time (TOTP) passwords as second factor authentication. To use TOTP, you need access to an app such as Google Authenticator, Duo, or LastPass Authenticator.
- Short Message Service (SMS) text messages
TOTP
- Select TOTP
- The system generates an image that is scanned into your device, running an application ... and displays the scan code on your screen
- Scan the code into your authentication application. This action should generate a code.
- Enter that temporary password (or code).
- (Optional) Name that device, software or application, so you may easily access the correct code generator.
- You will have two forms of confirmation your account has successfully enabled TOTP Multi-factor authentication on your account.
- Web page indicating success and displaying your User Profile
- An email message
SMS
- Select SMS
- Enter the phone number you will use to receive text messages containing an authorization code.
- Use the International format as follows: + (country code) phone number
- If you have a United States number, please use +1 NPA-XXX-XXXX
(NPA: Numbering plan Area a.k.a. area code)
- Click Submit
- Verify your account by entering the authorization code contained in the text message.
- You will have two forms of confirmation your account has successfully enabled SMS Multi-factor authentication on your account.
- Web page indicating success and displaying your User Profile
An email message
Password Recovery
Because passwords can be forgotten, VINCE offers a password recovery feature. This option can be completed by the user.
- Failed login attempt
- A failed login attempt will display a reminder that the user email address and password are case sensitive.
- Within this box are two options:
- 1. Forgot your password?
- 2. Signup for a VINCE account
- VINCE Password Reset
- Enter the email address for a password reset,
- Click Submit
- Or, Click Need help?
- Need help? will display the VINCE Account Help providing:
- The link to reset your password;
- Telephone number to request assistance;
- Email address to request assistance.
- VINCE Password Recovery form
- Your email should have a message with a verification code.
- If you have not received an email, please check your spam folder
- Go back and re-enter the email address.
- If your email address has changed, please use the VINCE Account Help to get your current email address updated in the VINCE system.
- Enter the verification code;
- Enter the new password (password requirements are the same);
- Re-enter the new password;
- Click on Submit.
- VINCE will respond with Password Reset Complete message and the link to login.
- 2FA required
- Recover/reset account
- Want to be anonymous? See FAQ, can report without creating account.
--- if not Will; maybe a separate page? ---
- For vendors
- Creating a vendor
- Add user to vendor
- Vendor administrator