2020 Year in Review
CERT/CC’s VINCE Platform Enables Collaboration on Software Vulnerabilities
The SEI’s CERT Coordination Center (CERT/CC) debuted a web-based collaboration platform for coordinated vulnerability disclosure called the Vulnerability Information and Coordination Environment (VINCE) in June.
Sponsored primarily by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), CERT/CC is a hub for the discovery, reporting, disclosure, and mitigation of software vulnerabilities, especially those affecting safety, critical or internet infrastructure, or national security.
CERT/CC staff used to use encrypted email to distribute all communications manually among vulnerability reporters, researchers, and vendors. VINCE’s peer-based interaction model uses a central, web-based platform so all stakeholders can collaborate directly with CERT/CC and each other.
With far fewer emails to shuffle, CERT/CC staff can concentrate on coordinating complex multi-vendor cases, analyzing vulnerabilities, and influencing standards and policy. “Finding, fixing, patching, and defending against vulnerabilities—we’re trying to help others do it faster and better while lowering risk and cost,” said Art Manion, the SEI’s Vulnerability Analysis technical manager.
As of early 2021, almost 400 vendors and 1,000 users had used VINCE to coordinate nearly 100 vulnerability cases.
As of early 2021, almost 400 vendors and 1,000 users had used VINCE to coordinate nearly 100 vulnerability cases. CERT/CC is now working to enable communication universally among many such vulnerability coordination platforms.
To learn more about VINCE, visit kb.cert.org/vince/.