18F / tts-buy-bug-bounty

Solicitation and acquisition documents created for the TTS Bug Bounty program that can be reused by other government agencies and organizations.

Other

19 stars 15 forks source link

Requirements on Disclosure of Researchers #26

Open BKozisek7 opened 5 years ago

BKozisek7 commented 5 years ago

Question/Comment on TTS Bug Bounty RFQ

Name and affiliation

Brett Kozisek Director Synack Inc.

Section of RFQ documents

RFQ Section 3.0 - Requirements on disclosure of researchers- https://github.com/18F/tts-buy-bug-bounty/blob/master/2018-procurement/RFQ.md#30-requirements Within Bounty Pool Management under sub bullet four it states - “Forward to TTS the vulnerability reports, the names of the researchers, and the award amounts.”

Question/Comment

Would the government require the name of the researcher if the vendor provides protection for the researchers and considers this information confidential and provides confidentiality assurances for researchers?

MichelleMcNellis commented 5 years ago

In accordance with RFQ Section 12.0 Addendum - Commercial Contract Clauses, FAR Clauses 52.212-3 Offeror Representations and Certifications -- Commercial Items (Jan 2017), the government will require assurances that the researchers who received the payouts are not from countries forbidden to receive payouts from the government. If a researcher's handle and some other information would be capable of providing the government with these assurances, please outline how and it will be considered.