VULNERABILITY DISCLOSURE PROGRAM ENTERPRISE MANAGEMENT SYSTEM (VDP EMS)

AI Summary

The Department of Defense Cyber Crime Center is seeking vendors for an enterprise management system to support its Vulnerability Disclosure Program. Key requirements include a VDP platform license, integration with existing systems, and support for vulnerability management workflows. Interested vendors should review the draft Performance Work Statement and provide feedback.

Contract details

Solicitation No.: FA701425X000X
Notice Type: Sources Sought
Posted Date: July 24, 2025
Response Deadline: July 18, 2025
NAICS Code: 541519 AI guide
PSC / Class Code: 7A21
Issuing Office: FA7014 AFDW PK
Sub-Agency: DEPT OF THE AIR FORCE
Agency: DEPT OF DEFENSE
Primary Contact: Phelicha Silva
City: ANDREWS AFB
State: MD
ZIP Code: 20762-6604
AI Product/Service: service

Description

During the RFI phase of this requirement, two questions were received. The questions and answers are provided below. Please review the Q&A and keep them in mind when the official solicitation is published. This RFI has NOT been extended further.

Question 1: Is the Government specifically seeking vendors who can provide a proprietary, crowdsourced VDP platform license (e.g., HackerOne, Bugcrowd), or will you also consider integrators who can deliver compliance, security automation, and Microsoft Sentinel-based triage/reporting workflows in partnership with a platform provider?

DC3 is directly seeking a proprietary, crowdsourced VDP platform license; Hackerone, BugCrowd, SynAck. Anything outside of this would impact mission success.

Question 2: Can you clarify the “250 crowdsourced vulnerability - bug tag and annual mailings”? Understand the concept here is that we would be responsible for the logistics and shipping of any DC3 provided items used to recognize researchers.

This would be in regard to delivering “swag” (inexpensive tangible goods like stickers, coins, t-shirts) to the researcher community. Specifically, DC3 disseminates “swag” for things such as “hacker of the month” or “hacker of the year.” The vendor will be responsible for distributing the “swag” on DC3’s behalf (verifying mailing addresses, packaging swag, paying for the shipping, getting the swag to the shipper, etc).

End Questions and Answers

---------------------------------------------------------------------

The Department of Defense Cyber Crime Center (DC3) is conducting market research for an enterprise management system to support its Vulnerability Disclosure Program (VDP) and Defense Industrial Base (DIB) VDP. The system shall facilitate collaboration, compliance, and management of the VDPs. Key requirements include:

Enterprise-grade VDP platform license/subscription for two instances (DoD VDP and DIB VDP).
Vulnerability submission and management workflows.
Integration, via API, with DC3's Atlassian Jira-based Vulnerability Report Management Network (VRMN) systems.
Mediation support for researcher inquiries.
Tools and processes for effective vulnerability triage and resolution (e.g., CVSS scoring).
Advanced analytics and custom reporting capabilities.
Dedicated account team with customer support and customer success functions.

Interested vendors are encouraged to review the attached draft Performance Work Statement (PWS) for detailed requirements and provide feedback on the PWS.

7/14/2025 - Amended solicitation to extend response due date to 18 Jul 2025.

Key dates

July 24, 2025Posted Date
July 18, 2025Proposals / Responses Due

AI search tags

vulnerability disclosure program cybersecurity services software integration enterprise management system crowdsourced platform

Frequently asked questions

VULNERABILITY DISCLOSURE PROGRAM ENTERPRISE MANAGEMENT SYSTEM (VDP EMS) is a federal acquisition solicitation issued by DEPT OF DEFENSE. Review the full description, attachments, and submission requirements on SamSearch before the response deadline.