search menu icon-carat-right cmu-wordmark

VINCE: A Software Vulnerability Coordination Platform

January 2021 Podcast
Emily Sarneso, Art Manion

Emily Sarneso, the architect of VINCE, and Art Manion, technical manager of the Vulnerability Analysis Team in the SEI CERT Division, discuss the rollout of VINCE, how to use it, and future work in vulnerability coordination.

“We often find ourselves involved these days with cases where it is hard to reach a vendor, or a vendor and a reporter might disagree, or in many cases, when there are many vendors, multiple vendors involved. That is really where VINCE shines.”

Publisher:

Software Engineering Institute

Listen

Watch

Abstract

Software vulnerability coordination at the CERT Coordination Center (CERT/CC) has traditionally relied on a hub-and-spoke model, with reports submitted to analysts at the CERT/CC analysts who would then work with contact affected vendors. To scale communications and increase the level of collaboration between vulnerability reporters, coordinators, and software vendors, the CERT/CC team has created a web-based platform for software vulnerability reporting and coordination called the Vulnerability Information and Coordination Environment (VINCE). In this podcast, Emily Sarneso, the architect of VINCE, and Art Manion, technical manager of the Vulnerability Analysis Team in the SEI CERT Division, discuss the rollout of VINCE, how to use it, and future work in vulnerability coordination.