The Department of Homeland Security has released a draft solicitation for a potential five-year, $40 million indefinite-delivery/indefinite-quantity contract to provide crowdsourced vulnerability discovery and disclosure services across DHS networks, software, web applications, hardware and other information systems as part of efforts to improve the agency’s cybersecurity posture.
The Hack DHS: Crowdsourced Vulnerability Assessment Services IDIQ contract will require the contractor to own and maintain a platform to facilitate vulnerability disclosure efforts and integrate key features into the platform, including the capability to securely accept and show vulnerability reports from researchers and the capacity to manage researchers on the assessment.
DHS expects six time boxed challenges and two continuous challenges during the contract’s first year and up to 12 time boxed challenges and five continuous challenges should the option year is exercised, according to a performance work statement.
The selected vendor should carry out live events and collaborate with the department’s representatives to design competitions and gamification aspects of the event.
Each task order will be categorized into three phases: pre-assessment, assessment and post-assessment.
Comments on the draft request for proposals are due May 3.
The draft solicitation came days after DHS announced the results of its initial bug bounty program as part of the Hack DHS initiative.