Open BKozisek7 opened 5 years ago
In accordance with RFQ Section 12.0 Addendum - Commercial Contract Clauses, FAR Clauses 52.212-3 Offeror Representations and Certifications -- Commercial Items (Jan 2017), the government will require assurances that the researchers who received the payouts are not from countries forbidden to receive payouts from the government. If a researcher's handle and some other information would be capable of providing the government with these assurances, please outline how and it will be considered.
Question/Comment on TTS Bug Bounty RFQ
Name and affiliation
Brett Kozisek Director Synack Inc.
Section of RFQ documents
RFQ Section 3.0 - Requirements on disclosure of researchers- https://github.com/18F/tts-buy-bug-bounty/blob/master/2018-procurement/RFQ.md#30-requirements Within Bounty Pool Management under sub bullet four it states - “Forward to TTS the vulnerability reports, the names of the researchers, and the award amounts.”
Question/Comment
Would the government require the name of the researcher if the vendor provides protection for the researchers and considers this information confidential and provides confidentiality assurances for researchers?