Repository files navigation

VINCE - The Vulnerability Information and Coordination Environment - Softwaredesigned for multi-party vulnerability coordination. VINCE enablescollaborative and efficient coordination by allowing all involved parties totap into a central, web-based platform to communicate directly with oneanother about a vulnerability. It is based on the decades of experience withcoordinated vulnerability disclosure (CVD) at the CERT Coordination Center(CERT/CC) which is a part of the Software Engineering Institute at CarnegieMellon University.

• The CERT Guide to Coordinated Vulnerability Disclosure:https://vuls.cert.org/confluence/display/CVD
• Report a Vulnerabilityhttps://www.kb.cert.org/vuls/report/
• VINCE User Documentation:https://vuls.cert.org/confluence/display/VIN/VINCE+Documentation
• Vulnerability Note API Documentation:https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+API
• VINCE API Documentation:https://vuls.cert.org/confluence/display/VIN/VINCE+API

You can report a bug, feature request, or other issue in this GitHub project. VINCE users can also sendfeedback through the Private Message feature.

VINCE, a Django application, is designed to run in Amazon Web Services (AWS)and is developed around manyof AWS services such as Cognito, S3, ElasticBeanstalk, Cloudfront, SQS, SNS,and SES. VINCE uses the python library,warrant, for AWS Cognitoauthentication.Warrant has beenslightly modified and is included with VINCE.

VINCE also uses and includesthedjango-bakery project togenerate and publish flat HTML files of vulnerability notes that are servedvia an AWS S3 bucket. Thedjango-bakery project has beenmodified to generate the flat files in memory versus using the filesystem.

VINCE also has adevelopmentbranch which can be run usingLocalStack.

VINCE follows a traditional Django'sModel-Template-View-Controller for most part.VINCE's 3-Tier setup is designed to work with Web/Presentation Tier (Amazon CloudFront),Application Tier (Amazon ElasticBeanStalk) and Database Tier (Amazon RDS). All thesecomponents can be mimicked (or replaced) to either use LocalStack or individualopen-source software for each of these tiers. VINCE's services interface to Storage (Amazon S3)Notifications (Amazon SNS), Queueing (Amazon SQS) and Messaging (Amazon SES) are all modularand can be adapted to either LocalStack or other python3+Django supported modules. VINCE'sIdentity Management is defaulted to Cognito - this also can be modified to use other IdentityProviders. Cognito identity is also tied to few modules such as S3 buckets used for filestorage, including both uploads and downloads. These can be mimicked using LocalStack. Codeupdates may be required in cases of file interactions.

VINCE application is made of three individual applications and databases.

• VINCETRACK application (database vincetrack) launched from (vince/)[vince/] folder.
• VINCECOMM application (database vincecomm) launched from (vinny/)[vinny/].
• VINCEPUB application (database vincepub) launched from (vincepub/)[vincepub/].

The VINCETRACK application requires access to all three database schemas and tables.The VINCETRACK app is meant forCoordinators and Administrators by default deisgned to be ina group labeled asCoordinator or as setup inbigvince.settings.COGNITO_ADMIN_GROUPwith higher privileges. The VINCECOMM and VINCEPUB applications have access to their respective schemas.The VINCECOMM applications is acessible to Vendors, Finders(Security Researchers) as well as other stakeholders that are registered, verified and have been approved. TheVINCEPUB application provides publicly available publications and reports that unauthenticatedusers. Each application can also be further protected by network access controls as desired toreduce the risk of exposure.

1. Clone the repo

2. Create a virtual environment and install requirements

cd bigvincemkvirtualenv  bigvince source env/bin/activatepip install -r requirements.txt

3. Create a postgres database using docker

docker run --name bv-postgres -p 5432:5432 -e POSTGRES_PASSWORD=PASSWORD -d postgrescreatedb -h localhost -U postgres bigvince

3. Alternate (not using docker):

psql postgresCREATE ROLE vince;ALTER ROLE vince CREATEDB;ALTER ROLE "vince" WITH LOGIN;CREATE DATABASE vincetest;GRANT ALL PRIVILEGES ON DATABASE vincetest TO vince;CREATE DATABASE vincecommtest;GRANT ALL PRIVILEGES ON DATABASE vincecommtest TO vince;CREATE DATABASE vincepubtest;GRANT ALL PRIVILEGES ON DATABASE vincepubtest TO vince;

4. Edit and copy VINCE.env to bigvince.env with the environment variables needed to run VINCE locally - this includes the database connection string and password for the new database, AWS keys, Google reCAPTCHA keys, etc.

DATABASE_URL=postgres://postgres@127.0.0.1:5432/bigvinceDATABASE_PASSWORD=PASSWORD

5. Create secret key

python3 -c 'from django.utils.crypto import get_random_string; chars = "abcdefghijklmnopqrstuvwxyz0123456789!@#%^&*(-_=+)"; print(get_random_string(50, chars));';

Add it to bigvince/.env

6. Edit bigvince/settings_.py as needed with your settings. Important settings to pay attention to:

EMAIL_BACKENDBUILD_DIRDEFAULT_FROM_EMAILDEFAULT_REPLY_EMAILDEFAULT_VISIBLE_NAMESTANDARD_VENDOR_EMAILSTANDARD_PARTICIPANT_EMAILDEFAULT_PHONE_NUMBERDEFAULT_EMAIL_SIGNATURESTANDARD_EMAIL_SIGNATUREWEB_TITLEORG_NAMECONTACT_EMAIL*_BASE_TEMPLATESREPORT_IDENTIFIERCASE_IDENTIFIERSUPERUSER

7. Run migrations

python manage.py makemigrationspython manage.py migratepython manage.py migrate --database=vincecommpython manage.py migrate --database=vincepub

8. Create a django super user. This will be used to login into the application.

It uses the credentials defined in the settings.py SUPERUSER variable. Alternativelyyou can use Django's createsuperuser command to set your own username and password.

NOTE: Skip this step if using cognito auth (the default)

python manage.py createsu

9. Load initial data:

python manage.py loadinitialdata

10. Start the development server. (Profit)

python manage.py runserver

11. Attempt login
12. Set "is_superuser" to "true" for your user in vincecomm and vincetrack databases, auth_user relation.

Vince test are stored in vince/tests. To run tests:

python3 manage.py test vince

This will create a new database for the tests and will delete it when the tests completes. To speed up tests, you can tell Django to not delete the test DB.

python3 manage.py test vince -k

Remember to give the "vince" group access to all of the Ticket Queues in admin console.

See docs forfull AWS configuration