Background on Researchers

[BKozisek7]

Question/Comment on TTS Bug Bounty RFQ

Name and affiliation

Brett Kozisek Director Synack Inc.

Section of RFQ documents

RFQ Section 2.0 - Background - https://github.com/18F/tts-buy-bug-bounty/blob/master/2018-procurement/RFQ.md#20-background Third paragraph in this section states “The larger the community of security researchers in the Bug Bounty SaaS Platform provider’s network, the better the chance TTS has of finding bugs and technical issues within their web applications.”

Question/Comment

Specific to the network of security researchers, can the government confirm they are expecting quality over quantity?

Is there an expectation that allowed researchers have been properly vetted for trust and skill prior to being included in any test?

[MichelleMcNellis]

TTS is not seeking to vet researchers for trust, skill, or quality prior to being included in any test. As outlined within RFQ Section 3.0, Requirements, TTS seeks a fully public bug bounty that allows for reports to be accepted from any eligible security researcher, where eligibility is defined as meeting the platform and vendor’s requirements to participate within the program. TTS is interested in the quality of the reports it receives, and in the features and service a bug bounty platform may offer that contribute to high report quality.