Requirements on Disclosure of Researchers

[BKozisek7]

Question/Comment on TTS Bug Bounty RFQ

Name and affiliation

Brett Kozisek
Director
Synack Inc.

Section of RFQ documents

RFQ Section 3.0 - Requirements on disclosure of researchers- https://github.com/18F/tts-buy-bug-bounty/blob/master/2018-procurement/RFQ.md#30-requirements
Within Bounty Pool Management under sub bullet four it states - “Forward to TTS the vulnerability reports, the names of the researchers, and the award amounts.”

Question/Comment

Would the government require the name of the researcher if the vendor provides protection for the researchers and considers this information confidential and provides confidentiality assurances for researchers?

[MichelleMcNellis]

In accordance with RFQ Section 12.0 Addendum - Commercial Contract Clauses, FAR Clauses 52.212-3 Offeror Representations and Certifications -- Commercial Items (Jan 2017), the government will require assurances that the researchers who received the payouts are not from countries forbidden to receive payouts from the government. If a researcher's handle and some other information would be capable of providing the government with these assurances, please outline how and it will be considered.