Vulnerability Disclosure Program (VDP) Enterprise Management System (EMS)

The Attachment 2 CLIN Worksheet outlines the pricing structure for the Vulnerability Disclosure Program (VDP) Enterprise Management Solution (EMS). It details a base year from February 2026 to January 2027, followed by four option years, each covering the DoD and DIB VDP Software License Subscriptions. The worksheet emphasizes the offeror's responsibility to ensure accurate calculations for all line items and includes an automatic calculation for a six-month extension, in accordance with FAR 52.217-8, based on half of the final option year's proposed amount. While quantities are set at one for each subscription, the prices are currently listed as $0.00, indicating that offerors are expected to fill in their proposed unit prices to determine the total contract value over the entire period of performance.

The Department of the Air Force seeks a Firm-Fixed Price contract for a Vulnerability Disclosure Program (VDP) Enterprise Management Solution (EMS) to support the DoD Cyber Crime Center (DC3). This solicitation (FA701425RVDPE) aims to secure annual licenses/subscriptions for two VDP EMS instances (DoD VDP and DIB VDP). The solution must offer vulnerability submission workflows, researcher engagement tools, advanced analytics, and dedicated support. The contract includes a base year (February 2026 – January 2027) and four option years, plus a six-month extension. Proposals are due by January 9, 2026, 1600 EST. Evaluation prioritizes technical merit (technical and management approach) over cost, with technical factors being significantly more important.

This Performance Work Statement outlines the requirements for a contractor to provide a Vulnerability Disclosure Program (VDP) Enterprise Management System for the Department of Defense (DoD) Cyber Crime Center (DC3). The VDP aims to enhance the security of the DoD Information Network and Defense Industrial Base networks by leveraging crowdsourced cybersecurity expertise. The contractor will provide two enterprise management system licenses/subscriptions, vulnerability submission and management workflows, community engagement features, integration capabilities, mediation support, and tools for vulnerability triage and resolution. Key deliverables include the licenses, workflows, kickoff meeting arrangements, and transition plans. The contract has a 12-month base period with multiple option periods, and performance will occur at both contractor and government sites. Security, compliance, and quality assurance are critical components of the contract.

This document outlines requirements for a government Vulnerability Disclosure Program (VDP), focusing on researcher engagement, system integration, mediation, and vulnerability triage. Key points include integrating with DC3 Jira for one-way data flow from the commercial platform, with future consideration for two-way sync. DC3 analysts are the final arbiters in dispute resolution and handle all triage work, aiming for a five-business-day turnaround per PWS section 2.1 Service Summary SS – 2. The platform should include a "comments" section for direct researcher communication. Support is required during standard business hours, with remote account teams being acceptable. The system needs to support single-project DIB VDP with DC3 analysts managing asset scope. Security requirements include data exchange via platform API and API key over port 443, with a one-time PIN or username/strong password for access, not CAC/PIV. Contractor personnel require a minimum Secret clearance, and the security page must satisfy PWS requirements and be done by the contractor. AI and automation for triage are not currently a requirement but may be considered in the future, with human-in-the-loop oversight by the internal analyst team. Auto-remediation advice is not considered a significant strength as mitigation is handled at the DoW component level.

This government file outlines the DC3's requirements and expectations for a commercial platform to support its Vulnerability Disclosure Program (VDP). Key areas addressed include researcher engagement, with no immediate need for advanced vetting or skill-based pulling but potential future consideration. Integration with existing DC3 IT systems is crucial, specifically a one-way data sync from the commercial platform to DC3's Jira service via API and API key over port 443. Two-way syncing is a future upgrade. Security protocols prioritize current standards and do not require SSO via CAC/PIV, instead accepting one-time PINs or username/strong passwords. Migration of old vulnerability data is unlikely. DC3 analysts are the final arbiters in dispute mediation and handle all vulnerability triage and validation of mitigation actions, with the platform expected to offer a comments section for direct researcher communication. The platform's workflow should support DC3 analysts in conducting triage within set thresholds (e.g., 24 or 72 hours). AI and automation for validation and triage are not immediate requirements but may be considered later. Support needs are standard business hours, remote, and the platform must handle DIB asset management. The contractor is responsible for providing the security page that satisfies the PWS requirements, and triage is completed by the contractor. A minimum Secret clearance is required for the contractor team, but not TS for FTEs.

The Performance Work Statement outlines the Department of Defense Cyber Crime Center's (DC3) requirement for an enterprise management system for its Vulnerability Disclosure Program (VDP). This system will support the DoD VDP and Defense Industrial Base (DIB) VDP by leveraging crowdsourced cybersecurity expertise to identify and remediate vulnerabilities. The contractor will provide two enterprise-grade VDP platform licenses/subscriptions, including vulnerability submission and management workflows, inbox, security page, disclosure workflow, community engagement, hacktivity, leaderboard, reputation system integration capabilities, seamless integration with existing DC3 IT systems, mediation support, tools for triage and resolution, advanced analytics, custom reporting, and a dedicated account team. Key deliverables include the licenses, workflows, bug tag and annual mailings, kickoff meeting, and transition plans. The contract has a 12-month base period and multiple option periods. Security requirements, including a final TS Facility Clearance and ITAR compliance, are critical.