diff --git a/docs/tutorials/coord_certcc/vendor.md b/docs/tutorials/coord_certcc/vendor.md index 48cbc30..3cdf018 100644 --- a/docs/tutorials/coord_certcc/vendor.md +++ b/docs/tutorials/coord_certcc/vendor.md @@ -12,25 +12,12 @@ This page provides an overview of the process for working with the CERT/CC to ad {% include-markdown "../../_includes/_certcc_policy_tip.md" heading-offset=1 %} -{== TODO review for accuracy given VINCE ==} -After reviewing the vulnerability report submitted, you can respond by -sending an email to [cert@cert.org.](mailto:cert@cert.org). -When doing so, be sure to include your VU# in the subject line, so that -our automated system can route your response to the analyst handling -your case. If you forget to add the VU# to the subject line of your -response email, our response may be delayed significantly. - -{== TODO review for accuracy given VINCE ==} -We recommend encrypting your response email to -[cert@cert.org](mailto:cert@cert.org) with the CERT/CC\'s [PGP public key], in order to -maintain privacy until the public disclosure date. For more information -on using PGP or obtaining the CERT/CC's PGP key, please see [Sending -Sensitive Information](http://www.cert.org/contact/sensitive-information.cfm). - -{== TODO review for accuracy given VINCE ==} -To fully communicate with the CERT/CC in a secure manner, we need your -organization's most up-to-date contact information, including your own -PGP public key. To update your information with us, please see our +When you receive a notification from the CERT/CC about a vulnerability in your product, +you should review the information provided and determine whether the report is accurate. +To do so, you can log into the +[Vulnerability Information and Coordination Environment (VINCE)](https://www.kb.cert.org/vince/) to view the report. + +To learn more about how to coordinate with the CERT/CC on VINCE, please see our [VINCE FAQ](https://vuls.cert.org/confluence/display/VIN/Frequently+Asked+Questions). !!! tip "What does the CERT/CC look for in a response?" @@ -47,13 +34,8 @@ PGP public key. To update your information with us, please see our - Do you need any further information from the CERT/CC or the reporter in order to address this issue? - {== TODO review for accuracy given VINCE ==} If you require extra information from the CERT/CC before a determination - can be made, please feel free to contact us. The best way to do so is to - send an email to [cert@cert.org](mailto:cert@cert.org) - with your VU# in the subject line, asking for more - information. You may also call our phone number during business hours - and an analyst will follow up with your message. + can be made, please feel free to reply within VINCE or by email. We may also be able to arrange conference calls with analysts, or use other communication methods if requested. @@ -71,12 +53,8 @@ to disclose the vulnerability and information on addressing the vulnerability if or information you wish; we will copy this statement verbatim into our published Vulnerability Note. - {== TODO review for accuracy given VINCE ==} - To send a Vendor Statement, please email - us at [cert@cert.org](mailto:cert@cert.org) with the VU# of the vulnerability in the subject line, - and include you statement in the body of the email. This email should be - PGP signed by your organization's key so we may verify its - authenticity. + Vendor statements can be added directly to a case within VINCE. + See [VINCE FAQ](https://vuls.cert.org/confluence/display/VIN/Frequently+Asked+Questions) for more. ## Multiparty Coordination @@ -93,6 +71,6 @@ working to address it. just your own (for example, you find a vulnerability in a widely-used open source library), please feel free to reach out to us to coordinate with all vendors at once. - {== TODO review for accuracy given VINCE ==} + If desired, we can keep your organization anonymous when coordinating with other vendors.