Open BKozisek7 opened 5 years ago
TTS is not seeking to vet researchers for trust, skill, or quality prior to being included in any test. As outlined within RFQ Section 3.0, Requirements, TTS seeks a fully public bug bounty that allows for reports to be accepted from any eligible security researcher, where eligibility is defined as meeting the platform and vendor’s requirements to participate within the program. TTS is interested in the quality of the reports it receives, and in the features and service a bug bounty platform may offer that contribute to high report quality.
Question/Comment on TTS Bug Bounty RFQ
Name and affiliation
Brett Kozisek Director Synack Inc.
Section of RFQ documents
RFQ Section 2.0 - Background - https://github.com/18F/tts-buy-bug-bounty/blob/master/2018-procurement/RFQ.md#20-background Third paragraph in this section states “The larger the community of security researchers in the Bug Bounty SaaS Platform provider’s network, the better the chance TTS has of finding bugs and technical issues within their web applications.”
Question/Comment
Specific to the network of security researchers, can the government confirm they are expecting quality over quantity?
Is there an expectation that allowed researchers have been properly vetted for trust and skill prior to being included in any test?