Rapid Response Bug Bounties

The Chief Digital and Artificial Intelligence Office’s Directorate for Digital Services (“DDS”) is seeking information related to responding to potentially widespread and critical cybersecurity vulnerabilities such as log4j. DDS wishes to address this class of problem by maintaining a “rapid response” bug bounty program, aka crowdsourced vulnerability discovery, targeting systems within the Department of Defense (DoD). The salient differentiator from typical bug bounties is that DDS desires the capability to start a bounty within very short timeframes, i.e., 1-3 days.

11/14/2022 at 09:00 AM EST

The Chief Digital and Artificial Intelligence Office (CDAO) is initiating an open call for feedback and innovative solutions to solve Department of Defense (DoD) problems. Innovative means any technology, process, business practice, or any application of an existing technology, process, or business practice that enhances mission effectiveness for the Government. The objective of this Call is to attract and identify best-of-breed solutions to solve the problem sets identified.

This Open Call to Industry has the potential for pilot project awards that may be accomplished via Other Transaction Authority (OTA) for Prototype Projects pursuant to 10 USC 4022b (formerly 2371b). As such, assessment activities conducted in furtherance a potential pilot project award agreement are considered competitive in the same manner as a Broad Agency Announcement (BAA) or Commercial Solutions Opening (CSO), and solutions will be assessed independently of one another primarily for technical merit. The procedures outlined in this Open Call are considered to satisfy the reasonable effort to obtain competition in accordance with 10 USC 4022b.

In general, you can expect the below from Open Calls to Industry / Digital Proving Ground (DPG) Tradewind Challenges. At this time, CDAO anticipates hosting DPGs quarterly.

DPG expectations:

Multiple problem sets we’re looking for innovative solutions for
New problems expected to be added to tradewindai.com every quarter
Assessment of submitted solutions on a quarterly basis
Submit your solutions at any time while problems are published
Pay attention to assessment deadlines, if any, identified

Abstract

DDS is seeking information to extend its current bug bounty operations for the DoD into a “rapid response” mode; that is, to begin a bounty on information systems, typically to look for a widespread and critical vulnerability, within a very short timeframe, i.e., 1-3 days. Target systems could include traditional IT elements such as IP-based networks, computing systems, and applications, but also Operational Technology (OT) elements including various ICS/SCADA components and operational platforms.

We want to understand industry capabilities and interests in applying the commercial bug bounty model in a way that allows DoD to rapidly respond to critical vulnerabilities, such as the log4j vulnerability discovered in 2021. This may involve novel business/pricing models, use of technology and personnel, and potentially policy modifications.

Background

DDS has planned and executed over 40 bug bounties for the DoD since 2015, working with internal DoD partners (i.e., system owners) and industry partners. Bug bounties improve cybersecurity by gathering vetted independent security researchers (aka “white hat hackers) to discover and report on cyber vulnerabilities in a time-boxed manner; bounties incentivize researchers via cash awards (“bounties”), recognition, and other incentives. (For more information see e.g., https://en.wikipedia.org/wiki/Bug_bounty_program).

Historically, DoD has performed these bug bounties with several weeks to months of preparation and planning, some before, and some during the industry partner’s Period of Performance. This model works well for “business as usual”; however, the discovery and impact of log4j proved the value of DoD having a mechanism to respond much more quickly with a crowdsourced vulnerability capability for high-impact issues.

Note: the DoD, through the Defense Cyber Crime Center, operates a Vulnerability Disclosure Program (see https://www.dc3.mil/Missions/Vulnerability-Disclosure/Vulnerability-Disclosure-Program-VDP/). This program is separate from the bug bounties conducted by DDS, and this RFI and any resulting program is not intended to modify DC3 VDP’s operations in any way.

Problem Statement

DDS has a track record of successfully executing bug bounties for the DoD on information systems. We see value in extending the model to a “rapid response” business and operational capability, and seek information from industry on their interest and capabilities in this area. To be clear, we are not seeking to execute classical penetration testing, which is a slightly different approach. Rather we wish to preserve the model of using “crowdsourced” independent vulnerability researchers, preferably in large groups (dozens to hundreds), managed by an industry partner, and rewarded based on their findings.

The key challenges/requirements we see are:

1. Guarantees/Service Level Agreements (SLAs) of rapid response, i.e., researchers are “on target” beginning No Later Than 48 hours from Government notification to the industry partner.

2. Creative pricing models that balance risk between the industry partner and Government with respect to costs for work done and the value of being “on retainer”.

3. Potentially longer-term contracts and/or Periods of Performance, given the inability of the parties to predict when such a rapid response bounty may be needed.

4. Tradeoffs/dependencies between timeliness of response and the size and makeup (for example, nationalities) of the researcher pool.

Objective

DDS aims to establish an approach to operate bug bounties on a rapid response basis, whereby industry partners are capable and desirous of supporting such a program. Therefore, this Call to Industry seeks industry feedback/suggestions and/or solutions relating to the construction of such a business and operational model, including timing, resourcing, constraints, and alternative approaches.

This Open Call to Industry identifies a multiple-round, competitive assessment process to identify solutions that best solve DoD problems.

Unfortunately, there a multitude of great ideas; there are likely 1 or 2. This process enables us to focus on the few ideas and solutions that have technical merit and take action with a pilot project award. As a result, not all solution providers will participate in all rounds or obtain a pilot project agreement with the Government.

We also need flexibility as we learn new things during new assessment activities. The Government may skip or combine rounds as necessary to collect and assess information as it relates to proposed solutions. Further, the Government may go back to earlier rounds with clarifications and additional requests as necessary to identify successful solutions that will meet intended pilot project objectives. Finally, the Government may initiate steps toward a prototype project award at any round.

ROUND 1 – Discovery Paper (DUE NOV 14)

If you have feedback or a solution that addresses any of the listed problems, we would love to hear about it. Submit a brief discovery paper for us to assess. CDAO and select subject matter experts may invite those that have interesting feedback and/or the highest potential to solving the problem to Round 2.

ROUND 2 – Digital Proving Ground (DPG) (DEC 7-8)

The goal of the DPG is to allow our Industry partners to have the opportunity to pitch in a fast-paced environment with contracting professionals poised to execute rapid pilot project awards. If selected to participate at the DPG, you will receive instructions on whether to prepare for an informal one-on-one technical discussion, demonstration of a solution, “Shark Tank” pitch, or something similar to better understand your solution. Conversations may continue outside of the DPG if additional information is needed to understand detailed solution offerings, determine the feasibility of teaming between separate solution providers, and/or make a Round 3 determination.

ROUND 3 – Project Award

The Government reserves the right to make one, some, or no pilot project awards based on the Round 2 results. Successfully negotiated awards are intended to be Other Transaction Agreements under 10 USC 4022. An award under 10 USC 4022 may result in a subsequent award of a follow-on production agreement without additional competition based on successful prototype completion.

If you are not chosen for a subsequent round(s), we will make our best efforts to notify you in writing as soon as practical. If you are invited to any round, subsequent round(s), or a return to earlier round(s), we will notify you via email with details and instructions on what information we are looking to assess. We are not able to provide instructions in advance due to the individual variance between problem sets and unique circumstances that may impact a pilot project. We care about transparency and providing timely feedback to help you improve your offerings, but sometimes our team is simply overtaxed. We are currently working to build in automated feedback mechanisms into the Tradewind Exchange, but in the meantime, we greatly appreciate your patience if we hit a resource limitation and cannot provide you the feedback you deserve in a timely manner.

Special Notice on Judges

Non-Government, subject matter expert (SME) judges may be used any assessment activity. Such assessors will be operating at the direction of the Government and through signed non-disclosure agreements (NDAs). The Government understands that information provided in response to this open call is presented in confidence and it agrees to protect such information from unauthorized disclosure to extent required by law. Your participation in any round of assessment under this Open Call indicates concurrence with the use of Non-Government SME judges.

Living Document

This Open Call supporting the Tradewind Prototype Challenges is a living document which is intended to evolve as our business processed are automated, we apply new business practices, or streamline any activity or workflow. All information presented within this document is subject to change. Specifically, the problems identified will be updated throughout the life of this Open Call. You check in regularly for updates at tradewindai.com.

Submit a 2-page Discovery Paper by 0900 Eastern Time on November 14, 2022 answering the following questions and instructions. We will not dictate format, but ask you answer the questions in the order provided.

PROBLEM ALIGNMENT: What is your feedback to DDS's outlined challenges and/or How well does your solution map to our published problem(s)? Argue the solution you’re providing is a fit to solve the published problem(s).
VALUE PROPOSITION: Why is your solution the best approach from a technical perspective? If you can convincingly refute alternatives to solving the problem, please briefly do so. If applicable, also consider arguing why the end user/warfighter would prefer your solution.
OPERATIONAL IMPACT: Looking only at the DoD personnel who will be impacted by your solution, argue that their jobs or lives will be significantly improved if your solution is adopted. What is the impact of your solution vs. today's solutions?
END USER DEMAND: Make your best pitch to the end user/warfighter directly. Why would an end user judge want to adopt your solution? To the extent that you can, make the case that end users -- once they experience your solution -- will ask for it themselves.

QUALITY OF PROSE: Prove you write clearly. Prove you argue convincingly.

Opportunity Details

More Opportunities

Rapid Response Bug Bounties

Opportunity Summary

Description

Additional Information

Submission Deadline:

OPEN CALL FOR INNOVATIVE SOLUTIONS

WHAT TO EXPECT

PROBLEM TO BE SOLVED

SUBMIT YOUR SOLUTIONS!

FEEDBACK DURING ASSESSMENT

NOTICES

WHAT DO I SUBMIT IN ROUND 1?

Point of Contact