VINCE is the Vulnerability Information and Coordination Environment developed and used by the CERT Coordination Center to improve coordinated vulnerability disclosure. VINCE is a Python-based web platform.
VINCE - The Vulnerability Information and Coordination Environment - Software
designed for multi-party vulnerability coordination. VINCE enables
collaborative and efficient coordination by allowing all involved parties to
tap into a central, web-based platform to communicate directly with one
another about a vulnerability. It is based on the decades of experience with
coordinated vulnerability disclosure (CVD) at the CERT Coordination Center
(CERT/CC) which is a part of the Software Engineering Institute at Carnegie
Mellon University.
You can report a bug, feature request, or other issue in this GitHub project. VINCE users can also send feedback through the Private Message feature.
VINCE, a Django application, is designed to run in Amazon Web Services (AWS)
and is developed around many
of AWS services such as Cognito, S3, ElasticBeanstalk, Cloudfront, SQS, SNS,
and SES. VINCE uses the python library,
warrant, for AWS Cognito
authentication. Warrant has been
slightly modified and is included with VINCE.
VINCE also uses and includes
the django-bakery project to
generate and publish flat HTML files of vulnerability notes that are served
via an AWS S3 bucket. The
django-bakery project has been
modified to generate the flat files in memory versus using the filesystem.
VINCE also has a development
branch which can be run using LocalStack.
VINCE follows a traditional Django’s Model-Template-View-Controller for most part.
VINCE’s 3-Tier setup is designed to work with Web/Presentation Tier (Amazon CloudFront),
Application Tier (Amazon ElasticBeanStalk) and Database Tier (Amazon RDS). All these
components can be mimicked (or replaced) to either use LocalStack or individual
open-source software for each of these tiers. VINCE’s services interface to Storage (Amazon S3)
Notifications (Amazon SNS), Queueing (Amazon SQS) and Messaging (Amazon SES) are all modular
and can be adapted to either LocalStack or other python3+Django supported modules. VINCE’s
Identity Management is defaulted to Cognito - this also can be modified to use other Identity
Providers. Cognito identity is also tied to few modules such as S3 buckets used for file
storage, including both uploads and downloads. These can be mimicked using LocalStack. Code
updates may be required in cases of file interactions.
VINCE application is made of three individual applications and databases.
The VINCETRACK application requires access to all three database schemas and tables.
The VINCETRACK app is meant for Coordinators and Administrators by default deisgned to be in
a group labeled as Coordinator or as setup in bigvince.settings.COGNITO_ADMIN_GROUP
with higher privileges. The VINCECOMM and VINCEPUB applications have access to their respective schemas.
The VINCECOMM applications is acessible to Vendors, Finders
(Security Researchers) as well as other stakeholders that are registered, verified and have been approved. The
VINCEPUB application provides publicly available publications and reports that unauthenticated
users. Each application can also be further protected by network access controls as desired to
reduce the risk of exposure.
Clone the repo
Create a virtual environment and install requirements
cd bigvincemkvirtualenv bigvincesource env/bin/activatepip install -r requirements.txt
Create a postgres database using docker
docker run --name bv-postgres -p 5432:5432 -e POSTGRES_PASSWORD=PASSWORD -d postgrescreatedb -h localhost -U postgres bigvince
Alternate (not using docker):
psql postgresCREATE ROLE vince;ALTER ROLE vince CREATEDB;ALTER ROLE "vince" WITH LOGIN;CREATE DATABASE vincetest;GRANT ALL PRIVILEGES ON DATABASE vincetest TO vince;CREATE DATABASE vincecommtest;GRANT ALL PRIVILEGES ON DATABASE vincecommtest TO vince;CREATE DATABASE vincepubtest;GRANT ALL PRIVILEGES ON DATABASE vincepubtest TO vince;
Edit and copy VINCE.env to bigvince.env with the environment variables needed to run VINCE locally - this includes the database connection string and password for the new database, AWS keys, Google reCAPTCHA keys, etc.
DATABASE_URL=postgres://postgres@127.0.0.1:5432/bigvinceDATABASE_PASSWORD=PASSWORD
Create secret key
python3 -c 'from django.utils.crypto import get_random_string; chars = "abcdefghijklmnopqrstuvwxyz0123456789!@#%^&*(-_=+)"; print(get_random_string(50, chars));';
Add it to bigvince/.env
Edit bigvince/settings_.py as needed with your settings. Important settings to pay attention to:
EMAIL_BACKENDBUILD_DIRDEFAULT_FROM_EMAILDEFAULT_REPLY_EMAILDEFAULT_VISIBLE_NAMESTANDARD_VENDOR_EMAILSTANDARD_PARTICIPANT_EMAILDEFAULT_PHONE_NUMBERDEFAULT_EMAIL_SIGNATURESTANDARD_EMAIL_SIGNATUREWEB_TITLEORG_NAMECONTACT_EMAIL*_BASE_TEMPLATESREPORT_IDENTIFIERCASE_IDENTIFIERSUPERUSER
Run migrations
python manage.py makemigrationspython manage.py migratepython manage.py migrate --database=vincecommpython manage.py migrate --database=vincepub
Create a django super user. This will be used to login into the application.
It uses the credentials defined in the settings.py SUPERUSER variable. Alternatively
you can use Django’s createsuperuser command to set your own username and password.
NOTE: Skip this step if using cognito auth (the default)
python manage.py createsu
Load initial data:
python manage.py loadinitialdata
Start the development server. (Profit)
python manage.py runserver
Attempt login
Vince test are stored in vince/tests. To run tests:
python3 manage.py test vince
This will create a new database for the tests and will delete it when the tests completes. To speed up tests, you can tell Django to not delete the test DB.
python3 manage.py test vince -k
Remember to give the “vince” group access to all of the Ticket Queues in admin console.
See docs for full AWS configuration