Vulnerability Reports

[BKozisek7]

Question/Comment on TTS Bug Bounty RFQ

Name and affiliation

Brett Kozisek
Director
Synack Inc.

Section of RFQ documents

RFQ Section 3.2.1 - Vulnerability Reports. https://github.com/18F/tts-buy-bug-bounty/blob/master/2018-procurement/RFQ.md#321-vulnerability-reports
It states “The contractor will submit through their security disclosure platform vulnerability reports for those on the TTS application list. These vulnerabilities will be triaged and classified based on the severity of the vulnerability before being submitted to TTS.”

Question/Comment

Does the 1 business day requirement require that from the disclosure of vulnerability discovery to the vendor include triage and providing a complete vulnerability report including remediation steps to the vulnerability and submit the entire report TTS?

[MichelleMcNellis]

In accordance with RFQ Section 3.2.1 the vendor must notify TTS of the vulnerability, determine the scope, and assigned to the appropriate team within one (1) day.