Software Engineering Institute

The SEI’s CERT Coordination Center (CERT/CC) debuted a web-based collaboration platform for coordinated vulnerability disclosure called the Vulnerability Information and Coordination Environment (VINCE) in June.

Sponsored primarily by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), CERT/CC is a hub for the discovery, reporting, disclosure, and mitigation of software vulnerabilities, especially those affecting safety, critical or internet infrastructure, or national security.

CERT/CC staff used to use encrypted email to distribute all communications manually among vulnerability reporters, researchers, and vendors. VINCE’s peer-based interaction model uses a central, web-based platform so all stakeholders can collaborate directly with CERT/CC and each other.

With far fewer emails to shuffle, CERT/CC staff can concentrate on coordinating complex multi-vendor cases, analyzing vulnerabilities, and influencing standards and policy. “Finding, fixing, patching, and defending against vulnerabilities—we’re trying to help others do it faster and better while lowering risk and cost,” said Art Manion, the SEI’s Vulnerability Analysis technical manager.