SOURCES SOUGHT
70 -- Vulnerability Disclosure Program Enterprise Management System (VDP EMS)
- Notice Date
- 7/24/2025 6:40:27 AM
- Notice Type
- Sources Sought
- NAICS
- 541519
— Other Computer Related Services
- Contracting Office
- FA7014 AFDW PK ANDREWS AFB MD 20762-6604 USA
- ZIP Code
- 20762-6604
- Solicitation Number
- FA701425X000X
- Response Due
- 7/18/2025 11:00:00 AM
- Archive Date
- 08/02/2025
- Point of Contact
- Phelicha Silva, Ryan Amos
- E-Mail Address
-
phelicha.silva@us.af.mil, ryan.amos.5.ctr@us.af.mil
(phelicha.silva@us.af.mil, ryan.amos.5.ctr@us.af.mil)
- Description
- During the RFI phase of this requirement, two questions were received. The questions and answers are provided below. Please review the Q&A and keep them in mind when the official solicitation is published. This RFI has NOT been extended further. Question 1: Is the Government specifically seeking vendors who can provide a proprietary, crowdsourced VDP platform license (e.g., HackerOne, Bugcrowd), or will you also consider integrators who can deliver compliance, security automation, and Microsoft Sentinel-based triage/reporting workflows in partnership with a platform provider? DC3 is directly seeking a proprietary, crowdsourced VDP platform license; Hackerone, BugCrowd, SynAck. Anything outside of this would impact mission success. Question 2: Can you clarify the �250 crowdsourced vulnerability - bug tag and annual mailings�? Understand the concept here is that we would be responsible for the logistics and shipping of any DC3 provided items used to recognize researchers. This would be in regard to delivering �swag� (inexpensive tangible goods like stickers, coins, t-shirts) to the researcher community. Specifically, DC3 disseminates �swag� for things such as �hacker of the month� or �hacker of the year.� The vendor will be responsible for distributing the �swag� on DC3�s behalf (verifying mailing addresses, packaging swag, paying for the shipping, getting the swag to the shipper, etc). End Questions and Answers --------------------------------------------------------------------- The Department of Defense Cyber Crime Center (DC3) is conducting market research for an enterprise management system to support its Vulnerability Disclosure Program (VDP) and Defense Industrial Base (DIB) VDP. The system shall facilitate collaboration, compliance, and management of the VDPs. Key requirements include: Enterprise-grade VDP platform license/subscription for two instances (DoD VDP and DIB VDP). Vulnerability submission and management workflows. Integration, via API, with DC3's Atlassian Jira-based Vulnerability Report Management Network (VRMN) systems. Mediation support for researcher inquiries. Tools and processes for effective vulnerability triage and resolution (e.g., CVSS scoring). Advanced analytics and custom reporting capabilities. Dedicated account team with customer support and customer success functions. Interested vendors are encouraged to review the attached draft Performance Work Statement (PWS) for detailed requirements and provide feedback on the PWS. 7/14/2025 - Amended solicitation to extend response due date to 18 Jul 2025.
- Web Link
-
SAM.gov Permalink
(https://sam.gov/opp/371b62b8f6d44b3ea84ad642a77616cb/view)
- Place of Performance
- Address: Linthicum Heights, MD, USA
- Country: USA
- Country: USA
- Record
- SN07523976-F 20250726/250724230056 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |