Type of Contract

[BKozisek7]

Question/Comment on TTS Bug Bounty RFQ

Name and affiliation

Brett Kozisek Director Synack Inc.

Section of RFQ documents

RFQ Section Section 7.0 Type of Contract - https://github.com/18F/tts-buy-bug-bounty/blob/master/2018-procurement/RFQ.md#70-type-of-contract It states the following “Based on the nature of this requirement, the government intends to award a hybrid Firm-Fixed-Price (FFP) and Firm-Fixed-Price Not-To-Exceed (NTE) contract type. The contract will include a FFP CLIN for access to the platform and triage services. The bounty pool will be NTE, with varying vulnerability levels but with all costs paid directly to the researchers.”

Question/Comment

Can the vendor respond with maintaining and coordinating the Bug Bounty program as a complete Fix Firm Price Model?

Would this disqualify the vendor if submitting pricing as a complete Fixed Firm Price model, to include the platform, vulnerability management and triage, vulnerability value management, and vulnerability management for all bug bounty challenges?

[MichelleMcNellis]

The type of contract will remain as a hybrid Firm-Fixed-Price (FFP) and Firm-Fixed-Price Not-To-Exceed (NTE). All responses must be in accordance with the selected contract type.