Classified Bug Bounties

The Chief Digital and Artificial Intelligence Office’s Directorate for Digital Services (“DDS”) is seeking innovative solutions related to the execution of a bug bounty program, aka crowdsourced vulnerability discovery, targeting classified systems within the Department of Defense (DoD).

11/14/2022 at 09:00 PM EST

The Chief Digital and Artificial Intelligence Office (CDAO) is initiating an open call for feedback and innovative solutions to solve Department of Defense (DoD) problems. Innovative means any technology, process, business practice, or any application of an existing technology, process, or business practice that enhances mission effectiveness for the Government. The objective of this Call is to attract and identify best-of-breed solutions to solve the problem sets identified.

This Open Call to Industry has the potential for pilot project awards that may be accomplished via Other Transaction Authority (OTA) for Prototype Projects pursuant to 10 USC 4022b (formerly 2371b). As such, assessment activities conducted in furtherance a potential pilot project award agreement are considered competitive in the same manner as a Broad Agency Announcement (BAA) or Commercial Solutions Opening (CSO), and solutions will be assessed independently of one another primarily for technical merit. The procedures outlined in this Open Call are considered to satisfy the reasonable effort to obtain competition in accordance with 10 USC 4022b.

In general, you can expect the below from Open Calls to Industry / Digital Proving Ground (DPG) Tradewind Challenges. At this time, CDAO anticipates hosting DPGs quarterly.

DPG expectations:

Multiple problem sets we’re looking for innovative solutions for
New problems expected to be added to tradewindai.com every quarter
Assessment of submitted solutions on a quarterly basis
Submit your solutions at any time while problems are published
Pay attention to assessment deadlines, if any, identified

Abstract

DDS is seeking information to extend its current bug bounty operations for the DoD into the classified space; that is, to conduct bounties on classified information systems. Such systems could include traditional IT elements such as IP-based networks, computing systems, and applications, but also Operational Technology (OT) elements including various ICS/SCADA components and operational platforms.

We want to understand industry capabilities and interests in applying the commercial bug bounty model into the classified space, and discuss the additional challenges and constraints involved in developing such a capability. This may involve novel business models, use of technology and personnel, and potentially policy modifications.

Background

DDS has planned and executed over 40 bug bounties for the DoD since 2015, working with internal DoD partners (i.e., system owners) and industry partners. Bug bounties improve cybersecurity by gathering vetted independent security researchers (aka “white hat hackers) to discover and report on cyber vulnerabilities in a time-boxed manner; bounties incentivize researchers via cash awards (“bounties”), recognition, and other incentives. (For more information see e.g., https://en.wikipedia.org/wiki/Bug_bounty_program). Historically, DoD has performed these bug bounties only on unclassified systems. However, DDS and DoD system owners agree that classified systems could benefit from the same approach, subject to the risk management and regulatory issues surrounding classified information and systems.

Note: the DoD, through the Defense Cyber Crime Center, operates a Vulnerability Disclosure Program (see https://www.dc3.mil/Missions/Vulnerability-Disclosure/Vulnerability-Disclosure-Program-VDP/). This program is separate from the bug bounties conducted by DDS, and this RFI and any resulting program is not intended to modify DC3 VDP’s operations in any way.

Problem Statement

DDS has a track record of successfully executing bug bounties for the DoD on unclassified systems. We see value in extending the model to classified systems, beginning at the Secret level, and seek information from industry on their interest and capabilities in this area. To be clear, we are not seeking to execute classical penetration testing, which is a slightly different approach. Rather we wish to preserve the model of using “crowdsourced” independent vulnerability researchers, preferably in large groups (dozens to hundreds), managed by an industry partner, and rewarded based on their findings.

The key challenges we see are:

1. Availability of appropriately cleared industry partners (facility clearances, cleared employees).

2. Security and suitability of industry partner platforms to store vulnerability data for classified systems.

3. Similar to (1), availability of appropriately cleared independent security researchers.

4. Cost and logistical issues raised if access to the target systems requires on-site presence by the researchers, industry partners.

5. Potential requirement for an on-site or separate cloud instance of the industry partner’s operational platform suitable for storing vulnerability details of classified systems.

Objective

DDS aims to establish an approach to operate bug bounties on classified DoD systems, whereby industry partners are capable and desirous of supporting them on a regular basis. Therefore, this Call to Industry seeks industry feedback/suggestions and/or solutions relating to the construction of such a business and operational model, including timing, resourcing, constraints, and alternative approaches.

This Open Call to Industry identifies a multiple-round, competitive assessment process to identify solutions that best solve DoD problems.

Unfortunately, there a multitude of great ideas; there are likely 1 or 2. This process enables us to focus on the few ideas and solutions that have technical merit and take action with a pilot project award. As a result, not all solution providers will participate in all rounds or obtain a pilot project agreement with the Government.

We also need flexibility as we learn new things during new assessment activities. The Government may skip or combine rounds as necessary to collect and assess information as it relates to proposed solutions. Further, the Government may go back to earlier rounds with clarifications and additional requests as necessary to identify successful solutions that will meet intended pilot project objectives. Finally, the Government may initiate steps toward a prototype project award at any round.

ROUND 1 – Discovery Paper (DUE NOV 14)

If you have feedback or a solution that addresses any of the listed problems, we would love to hear about it. Submit a brief discovery paper for us to assess. CDAO and select subject matter experts may invite those that have interesting feedback and/or the highest potential to solving the problem to Round 2.

ROUND 2 – Digital Proving Ground (DPG) (DEC 7-8)

The goal of the DPG is to allow our Industry partners to have the opportunity to pitch in a fast-paced environment with contracting professionals poised to execute rapid pilot project awards. If selected to participate at the DPG, you will receive instructions on whether to prepare for an informal one-on-one technical discussion, demonstration of a solution, “Shark Tank” pitch, or something similar to better understand your solution. Conversations may continue outside of the DPG if additional information is needed to understand detailed solution offerings, determine the feasibility of teaming between separate solution providers, and/or make a Round 3 determination.

ROUND 3 – Project Award

The Government reserves the right to make one, some, or no pilot project awards based on the Round 2 results. Successfully negotiated awards are intended to be Other Transaction Agreements under 10 USC 4022. An award under 10 USC 4022 may result in a subsequent award of a follow-on production agreement without additional competition based on successful prototype completion.

If you are not chosen for a subsequent round(s), we will make our best efforts to notify you in writing as soon as practical. If you are invited to any round, subsequent round(s), or a return to earlier round(s), we will notify you via email with details and instructions on what information we are looking to assess. We are not able to provide instructions in advance due to the individual variance between problem sets and unique circumstances that may impact a pilot project. We care about transparency and providing timely feedback to help you improve your offerings, but sometimes our team is simply overtaxed. We are currently working to build in automated feedback mechanisms into the Tradewind Exchange, but in the meantime, we greatly appreciate your patience if we hit a resource limitation and cannot provide you the feedback you deserve in a timely manner.

Special Notice on Judges

Non-Government, subject matter expert (SME) judges may be used any assessment activity. Such assessors will be operating at the direction of the Government and through signed non-disclosure agreements (NDAs). The Government understands that information provided in response to this open call is presented in confidence and it agrees to protect such information from unauthorized disclosure to extent required by law. Your participation in any round of assessment under this Open Call indicates concurrence with the use of Non-Government SME judges.

Living Document

This Open Call supporting the Tradewind Prototype Challenges is a living document which is intended to evolve as our business processed are automated, we apply new business practices, or streamline any activity or workflow. All information presented within this document is subject to change. Specifically, the problems identified will be updated throughout the life of this Open Call. You check in regularly for updates at tradewindai.com.

Submit a 2-page Discovery Paper by 0900 Eastern Time on November 14, 2022 answering the following questions and instructions. We will not dictate format, but ask you answer the questions in the order provided.

PROBLEM ALIGNMENT: What is your feedback to DDS's outlined challenges and/or How well does your solution map to our published problem(s)? Argue the solution you’re providing is a fit to solve the published problem(s).
VALUE PROPOSITION: Why is your solution the best approach from a technical perspective? If you can convincingly refute alternatives to solving the problem, please briefly do so. If applicable, also consider arguing why the end user/warfighter would prefer your solution.
OPERATIONAL IMPACT: Looking only at the DoD personnel who will be impacted by your solution, argue that their jobs or lives will be significantly improved if your solution is adopted. What is the impact of your solution vs. today's solutions?
END USER DEMAND: Make your best pitch to the end user/warfighter directly. Why would an end user judge want to adopt your solution? To the extent that you can, make the case that end users -- once they experience your solution -- will ask for it themselves.

QUALITY OF PROSE: Prove you write clearly. Prove you argue convincingly.

Opportunity Details

More Opportunities

Classified Bug Bounties

Opportunity Summary

Description

Additional Information

Submission Deadline:

OPEN CALL FOR INNOVATIVE SOLUTIONS

WHAT TO EXPECT

PROBLEM TO BE SOLVED

SUBMIT YOUR SOLUTIONS!

FEEDBACK DURING ASSESSMENT

NOTICES

WHAT DO I SUBMIT IN ROUND 1?

Point of Contact