search

18F / tts-buy-bug-bounty

Solicitation and acquisition documents created for the TTS Bug Bounty program that can be reused by other government agencies and organizations.
Other
19 stars 15 forks source link

Vulnerability Reports #28

Open BKozisek7 opened 6 years ago

BKozisek7 commented 6 years ago

Question/Comment on TTS Bug Bounty RFQ

Name and affiliation

Brett Kozisek Director Synack Inc.

Section of RFQ documents

RFQ Section 3.2.1 - Vulnerability Reports. https://github.com/18F/tts-buy-bug-bounty/blob/master/2018-procurement/RFQ.md#321-vulnerability-reports It states “The contractor will submit through their security disclosure platform vulnerability reports for those on the TTS application list. These vulnerabilities will be triaged and classified based on the severity of the vulnerability before being submitted to TTS.”

Question/Comment

Does the 1 business day requirement require that from the disclosure of vulnerability discovery to the vendor include triage and providing a complete vulnerability report including remediation steps to the vulnerability and submit the entire report TTS?

MichelleMcNellis commented 6 years ago

In accordance with RFQ Section 3.2.1 the vendor must notify TTS of the vulnerability, determine the scope, and assigned to the appropriate team within one (1) day.