VINCE - The Vulnerability Information and Coordination Environment - Software designed for multi-party vulnerability coordination. VINCE enables collaborative and efficient coordination by allowing all involved parties to tap into a central, web-based platform to communicate directly with one another about a vulnerability. It is based on the decades of experience with coordinated vulnerability disclosure (CVD) at the CERT Coordination Center (CERT/CC) which is a part of the Software Engineering Institute at Carnegie Mellon University.
- The CERT Guide to Coordinated Vulnerability Disclosure: https://vuls.cert.org/confluence/display/CVD
- Report a Vulnerability https://www.kb.cert.org/vuls/report/
- VINCE User Documentation: https://vuls.cert.org/confluence/display/VIN/VINCE+Documentation
- Vulnerability Note API Documentation: https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+API
- VINCE API Documentation: https://vuls.cert.org/confluence/display/VIN/VINCE+API
You can report a bug, feature request, or other issue in this GitHub project. VINCE users can also send feedback through the Private Message feature.
VINCE, a Django application, is designed to run in Amazon Web Services (AWS) and is developed around many of AWS services such as Cognito, S3, ElasticBeanstalk, Cloudfront, SQS, SNS, and SES. VINCE uses the python library, warrant, for AWS Cognito authentication. Warrant has been slightly modified and is included with VINCE.
VINCE also uses and includes the django-bakery project to generate and publish flat HTML files of vulnerability notes that are served via an AWS S3 bucket. The django-bakery project has been modified to generate the flat files in memory versus using the filesystem.
VINCE follows a traditional Django's
Model-Template-View-Controller for most part.
VINCE's 3-Tier setup is designed to work with Web/Presentation Tier (Amazon CloudFront),
Application Tier (Amazon ElasticBeanStalk) and Database Tier (Amazon RDS). All these
components can be mimicked (or replaced) to either use LocalStack or individual
open-source software for each of these tiers. VINCE's services interface to Storage (Amazon S3)
Notifications (Amazon SNS), Queueing (Amazon SQS) and Messaging (Amazon SES) are all modular
and can be adapted to either LocalStack or other python3+Django supported modules. VINCE's
Identity Management is defaulted to Cognito - this also can be modified to use other Identity
Providers. Cognito identity is also tied to few modules such as S3 buckets used for file
storage, including both uploads and downloads. These can be mimicked using LocalStack. Code
updates may be required in cases of file interactions.
VINCE application is made of three individual applications and databases.
- VINCETRACK application (database vincetrack) launched from (vince/)[vince/] folder.
- VINCECOMM application (database vincecomm) launched from (vinny/)[vinny/].
- VINCEPUB application (database vincepub) launched from (vincepub/)[vincepub/].
The VINCETRACK application requires access to all three database schemas and tables.
The VINCETRACK app is meant for
Coordinators and Administrators by default deisgned to be in
a group labeled as
Coordinator or as setup in
with higher privileges. The VINCECOMM and VINCEPUB applications have access to their respective schemas.
The VINCECOMM applications is acessible to Vendors, Finders
(Security Researchers) as well as other stakeholders that are registered, verified and have been approved. The
VINCEPUB application provides publicly available publications and reports that unauthenticated
users. Each application can also be further protected by network access controls as desired to
reduce the risk of exposure.
Clone the repo
Create a virtual environment and install requirements
pip install -r requirements.txt
- Create a postgres database using docker
docker run --name bv-postgres -p 5432:5432 -e POSTGRES_PASSWORD=PASSWORD -d postgres
createdb -h localhost -U postgres bigvince
- Alternate (not using docker):
CREATE ROLE vince;
ALTER ROLE vince CREATEDB;
ALTER ROLE "vince" WITH LOGIN;
CREATE DATABASE vincetest;
GRANT ALL PRIVILEGES ON DATABASE vincetest TO vince;
CREATE DATABASE vincecommtest;
GRANT ALL PRIVILEGES ON DATABASE vincecommtest TO vince;
CREATE DATABASE vincepubtest;
GRANT ALL PRIVILEGES ON DATABASE vincepubtest TO vince;
- Edit and copy VINCE.env to bigvince.env with the environment variables needed to run VINCE locally - this includes the database connection string and password for the new database, AWS keys, Google reCAPTCHA keys, etc.
- Create secret key
python3 -c 'from django.utils.crypto import get_random_string; chars = "abcdefghijklmnopqrstuvwxyz0123456789!@#%^&*(-_=+)"; print(get_random_string(50, chars));';
Add it to bigvince/.env
- Edit bigvince/settings_.py as needed with your settings. Important settings to pay attention to:
- Run migrations
python manage.py makemigrations
python manage.py migrate
python manage.py migrate --database=vincecomm
python manage.py migrate --database=vincepub
- Create a django super user. This will be used to login into the application.
It uses the credentials defined in the settings.py SUPERUSER variable. Alternatively you can use Django's createsuperuser command to set your own username and password.
NOTE: Skip this step if using cognito auth (the default)
python manage.py createsu
- Load initial data:
python manage.py loadinitialdata
- Start the development server. (Profit)
python manage.py runserver
- Attempt login
- Set "is_superuser" to "true" for your user in vincecomm and vincetrack databases, auth_user relation.
Vince test are stored in vince/tests. To run tests:
python3 manage.py test vince
This will create a new database for the tests and will delete it when the tests completes. To speed up tests, you can tell Django to not delete the test DB.
python3 manage.py test vince -k
Remember to give the "vince" group access to all of the Ticket Queues in admin console.
See docs for full AWS configuration