search

18F / tts-buy-bug-bounty

Solicitation and acquisition documents created for the TTS Bug Bounty program that can be reused by other government agencies and organizations.
Other
19 stars 15 forks source link

Background Program Management #23

Open BKozisek7 opened 6 years ago

BKozisek7 commented 6 years ago

Question/Comment on TTS Bug Bounty RFQ

Name and affiliation

Brett Kozisek Director Synack Inc.

Section of RFQ documents

RFQ Section 2.0 - Background - https://github.com/18F/tts-buy-bug-bounty/blob/master/2018-procurement/RFQ.md#20-background Fifth paragraph in this section states “Program management services include services related to promotion of the program, tracking and workflow, and payouts”.

Question/Comment

Does the vendor have to specifically publicly disclose tracking, workflow and payout?

MichelleMcNellis commented 6 years ago

As outlined within RFQ Section 3.0 Requirements, the vendor must make the program visible to its community of researchers, and be able to promote its presence on the platform to those researchers. The vendor must support features that allow the government to promote the program by sharing information about payouts and specific vulnerability reports. The vendor is not required to publicly disclose all vulnerability reports, or to disclose all aspects of tracking, workflow, and payouts on the platform.