-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
In March, the CERT/CC started using a custom-developed web-based platform for vulnerability coordination. This platform is called VINCE: Vulnerability Information and Coordination Environment. We have been slowly moving new vulnerability reports to VINCE and inviting vendors to VINCE on a case-by-case basis. VINCE represents a significant change in how we perform vulnerability coordination. Change has costs, and we realize that we are asking you to share these costs. We believe the investment will pay off by reducing per-case effort, improving scalability and coverage, and maturing the state of coordinated vulnerability disclosure practice. We are now actively transitioning to VINCE as the primary means to * receive vulnerability reports * notify vendors about potential vulnerabilities * discuss and coordinate vulnerability reports before public disclosure * allow vendors to provide status and vendor statements * review and publish vulnerability notes * allow vendors to manage their contact information Some changes of note: * We are intentionally stepping back from the role of central communications hub and mediator of all communications. Our default stance is that reporters (researchers) and vendors will all participate in a shared per-case discussion forum in VINCE. There are features in VINCE that support private communication between CERT/CC and vendors, but we advocate a more collaborative and efficient coordination model, thus the shared case discussion forum. * Expect less and less email from us, including PGP email. Notifications for new vulnerability reports will be made primarily through VINCE. * VINCE sends notification mail From: <[email protected]>. Notifications are not PGP signed or encrypted and do not contain case details or other sensitive information. * <[email protected]> (with a VU# ID in the subject please) still works, and <[email protected]> is effectively <[email protected]>, but we encourage you to at least start testing VINCE. * We recognize that using many different web platforms for vulnerability coordination will not scale well. Our proposed solution is an API. While initially designed for VINCE, we see the need for a global interoperability standard, and welcome testing, feedback, and feature requests for the API. <https://vuls.cert.org/confluence/display/VIN/API> As of yet there is no deadline or requirement to switch to VINCE, and we are still handling some coordination through PGP email. However, as the transition continues, email and PGP will become a secondary channel for coordination and not receive the same level of service as VINCE. We invite and encourage you to register for a VINCE account: <https://kb.cert.org/vince/> The model is that individuals create VINCE accounts, then those VINCE users are assigned to one or more vendor groups. An authorized VINCE user can be given administrative privileges to manage the vendor group. A VINCE vendor group is roughly analogous to a PSIRT. We take considerable care to properly associate user accounts with vendor groups. We use our existing contacts, PGP, and other evidence to verify associations. After you register for a VINCE account, verification may cause delay before we associate you with a vendor group. Providing evidence (e.g., PGP-signed mail) of your association with a vendor will speed up the verification process. VINCE documentation: <https://vuls.cert.org/confluence/display/VIN/VINCE+Documentation> Regards, - Art - -- Art Manion - CERT Coordination Center <https://kb.cert.org/> <[email protected]> +1 412-268-5800 6216 58A6 CE37 C480 E55B F4D9 45FD 541A B93E D52B -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJfYoTCAAoJEEX9VBq5PtUrwsIP/jzEVOHDfatQiStebS8gQJh1 YyH50Zx2GJnZ7rORky7cXmhRvgo8Qn5eQ7NyP04t2aO3Y7ipwxmC1wuDOnzYbouf 1WKXicHrUUsoHcEN1DOGtWrDjKPkSWf1a884O+M07bNUevdnzNCRzJi353qcsTz8 E7Ll1ITCcEgSPbQi6xqsbldHUY2oPlLTCuVHTU/S42+/Y77vKa/YawBOkbdfMuGR NYnyOr9n9oM3P5dl/fDyRFLZu6+0GHn2RdquQ/dBgLeYBql7Xuh5uymKS4+V75Lx mfgqPTuNFcUSdcVYBeWUVf4LA3VkUrW3UvYb+nKdoon0kBuhiwPCzehbKKn1UoR9 JCefEUiBriSiA7gSzfg9o+bg+c9tv5ylH9bkum+0vg+Pk9va8+Y7uiza5fvbkW8k GtDVpMCDdYFp9MkhaD6DqENCGmKAhvCxIrX/tZvOubrkwIRcu0qeMgRQQBQEHZPo n3gwkVwoNwI8E3dZfYglHLVMwXgm5y5JYQgu+OcUx6Wk+OIHVpleuhJU+krbvajz 04H09CPjpMTm2SO0XEUEkVlrggW1oAJmDeXba5yKH6yxJMSfhWEpvtwgSydHeTvC XsZPLbDW1NueGxZMwVVv7djnT2RWXx626MmPHVLIqwrWan4H6H7VeI8b6qQTbysa 90PAyUZZHXJmhhU0Tn2t =faOg -----END PGP SIGNATURE-----
