For Vendors

Should I sign up as an individual or an organization?

VINCE is designed so that accounts are tied to individual users, and users can be made members of groups, most commonly a vendor group. So if you're part of a security team like a PSIRT, sign up as an individual and request to be added to the appropriate vendor group(s). An existing administrator for a vendor group can add you to the group.

How do I become associated with a vendor?

Once you have created an individual VINCE account, ask us or your vendor group administrator. Users for whom we have existing trust (verified email address, possibly PGP key) are automatically associated with vendor groups. For users without existing trust, we perform a two-person validation process.

How do I manage my vendor group?

The first user added to a vendor group is granted the administrator role for that group. Our strong preference is that administrators manage further group membership. Multiple administrators are supported.

How can I give VINCE access to someone else in my organization?

Each organization has a designated group administrator account. This account permits invitation to the organization's group, which in turn allows access to the organization's cases. If a group administrator is not set for your organization, send the CERT/CC a private message with the email address of the desired group administrator, and we will validate the change. If you are the group administrator, you may invite someone from the User Management Page by adding the new user's email address. This email address must match the email associated with the user's VINCE account. Users associated with an organization automatically have access to all of the organization's cases.

Can I control which cases specific people in my organization have access to?

Yes. VINCE allows case access control through the User Management Page. By default all users have access to all current and new cases. You can toggle this setting by disabling the "Default User Case Access" toggle and selecting the cases each individual should have access to. When the default access is disabled, group administrators will need to grant access for non-admin users to new cases.

My VINCE account has been associated with the proper vendor group, why can't I access my cases?

Log out and back in to VINCE. If this doesn't work, please send us a message.

What actions happen if a VINCE user's email address is associated with a permanent bounce?

We rely on the Admins of VINCE vendor groups to keep their roster of users current. However, in the event that we receive a "permanent bounce" notification regarding an email address associated with an active VINCE user account, we will immediately disable the account and remove that user from all VINCE groups. This measure is taken to prevent a user who might no longer be associated with an organization from seeing any privileged information in VINCE concerning that organization. If the user is removed in error, we can take the necessary steps to restore access.

What should I do if a reporter is not responding or participating in the discussion on VINCE?

If a reporter is not participating in the case, it is possible that the reporter chose not to create a VINCE account. The CERT/CC also may not have contact information for the reporter, so it is possible that the reporter will not be involved in the case. If an unresponsive reporter is listed among the VINCE participants in the case discussion, the CERT/CC may encourage the reporter to respond (perhaps by reaching out directly to the reporter).

How do I add my vulnerability status and submit an official statement?

Once the CERT/CC has identified and added the vulnerabilities to the case, we will request the status and statement from each impacted vendor. At that time, you will be able to add a status (affected/unaffected/unknown) and an official statement from the case discussion page.

Who sees my status and statement?

By default, only the VINCE coordinators in the case can see your status and statement before we publish the vulnerability note. You are welcome to share your status and statement with other case participants by switching the "Share" toggle when you submit your status and statement. This will allow anyone participating in the case to view your status or statement. The status will appear next the vendor name on the right side of the case discussion. By clicking the status, you will be able to view any additional statements and references provided. Once the CERT/CC publishes the vulnerability note, the public will be able to view your status and statement.

How do I change my vulnerability status or official statement?

You can update your status and modify your statement from the case discussion page (the same place that you provided your original status and statement).

How long do statement updates take to be reflected on a published vulnerability note?

The CERT/CC will receive a notification when you update your statement. Once the CERT/CC views and approves the update, the changes will be reflected immediately on the published vulnerability note.

What does "public" mean for my contact information?

Contact information marked "public" will be shared with participants that require it, including reporters. Our eventual goal is to share contact information marked as "public" on our website so that it can be searched by the general public.

How do I update my public contact information?

Group administrators can use the "My Contact Info" page to edit their public contact information. Click "Edit My Contact Info" in the top right and toggle the "Public" switch to "Yes" to make specific contact information public. By default, all contact information that the CERT/CC has for your organization is set to "Not Public".

My organization is affiliated with "Vendor X". How can I be sure that I receive all of the notifications that "Vendor X" receives?

If you wish to receive a VINCE notification whenever a different specific vendor receives a VINCE notification, you should contact the other vendor (outside of VINCE) and ask that vendor's VINCE Admin to add your chosen email address to their vendor contact information. Likewise, if you wish for another vendor to receive a VINCE notification whenever you receive a VINCE notification, then you should add an email address to your VINCE contact list that will reach that other vendor.

What status should I select if my product is end-of-life, end-of-support, or generally no longer supported?

Generally speaking, the same selection criteria used for current products should be used for unsupported products: a product that is vulnerable should be marked "affected," and a product that is not vulnerable should be marked "not affected." If such a product is affected, mitigation steps should be provided if available. Additionally, CVE ID(s) should be requested in accordance with https://cve.mitre.org/cve/cna/CVE_Program_End_of_Life_EOL_Assignment_Process.html.

What does Affected status mean?

Affected means one or more of your products were or are impacted by the vulnerability. This includes some unique scenarios like:

• Products that are no longer supported (EOL)
• Products that were previously fixed
• Situations where a "Won’t Fix" decision has been made

Marking as Affected allows downstream users and supply-chain partners to understand historical or residual risk, even if you’ve already addressed it.

Why mark EOL or fixed products as Affected?

Even unsupported or already-fixed products can remain in use by third parties. By marking them as Affected, you help inform replacement, isolation, or upgrade efforts.

This aligns with guidance from CISA, the CVE Program, and other industry bodies promoting transparency in the supply chain.

When should I use Not Affected?

Use this only if:

• The vulnerability never applied to your products (not present in codebase, not included as library etc.)
• You are reasonably confident that no current or former customers or downstream users could be impacted

Important: If your organization is recommending any action at all in response to the report—such as applying a patch, changing configuration, deploying mitigations, or even reviewing impact—then it is very difficult to justify a Not Affected status. This strongly implies there is some level of concern, which typically aligns with Affected

Avoid using "Not Affected" solely because a product is fixed or out of support.

What does Unknown mean?

Use Unknown when:

• You’re still investigating
• You need more time to assess scope
• Your internal policy differs and you'd prefer to point to your own advisory or decision process

You can include a link to your public statement for clarity.

What about Won’t Fix vulnerabilities?

Even if you do not plan to address a vulnerability (e.g., physical/local attack vectors outside your threat model), the product should still be marked Affected so others understand the issue and your position.

What if our internal policy uses different definitions?

We respect that each vendor may have their own policies. VINCE uses a public-coordination lens, and our statuses reflect ecosystem-wide communication needs.

If there’s a conflict, consider using Unknown with a link to your advisory. In some cases, CERT/CC may include a Coordinator Addendum to clarify differences between vendor-provided and coordinator-assessed status.

What if we disagree with CERT/CC’s interpretation?

CERT/CC supports open dialogue and respects the diverse policies and threat models of vendors. We understand that disagreements may arise regarding the appropriate status, scope, or response to a vulnerability.

Even in such cases, we will continue to support coordination efforts with you and document your position accurately. As part of our public-interest mission, we may also provide clarifying context in a Coordinator Addendum to help downstream consumers and supply-chain partners understand the full picture.

Our goal is not to override vendor policy, but to preserve transparency and accountability in the public disclosure process.

References:

• CERT/CC Field Help
• CISA Coordinated Vulnerability Disclosure
• CISA KEV Catalog
• FIRST OpenVEX
• CVE Program