Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

June 16, 2015

Fed Biz Opp – Security

Filed under: Cybersecurity,Security — Patrick Durusau @ 2:39 pm

The US Navy wants to buy your zero-day vulnerabilities by Graham Cluley.

Graham reports on a solicitation from the Department of the Navy for zero-day vulnerabilities. The solicitation has been removed but Dave Maass preserved a copy here.

From the solicitation:

70­­-Common Vulnerability Exploit Products
Solicitation Number: N0018915T0245
Agency: Department of the Navy
Office: Naval Supply Systems Command
Location: NAVSUP Fleet Logistics Center Norfolk

The vendor shall provide the government with a proposed list of available vulnerabilities, 0­day or N­day (no older than 6 months old). This list should be updated quarterly and include intelligence and exploits affecting widely used software. The government will select from the supplied list and direct development of exploit binaries.

The vendor shall accept vulnerability data to include patch code, proof of concept code, or analytic white papers from the government to assist with product development. Products developed under these conditions will not be available to any other customer and will remain exclusively licensed to the government.

Documentation of technical expertise must be presented in sufficient detail for the Government to determine that your company possesses the necessary functional area expertise and experience to compete for this acquisition.

I understand the solicitation has now been removed from the FedBizOpps.gov site. I checked with the solicitation number and that appears to be true.

Perhaps the GSA is going to issue a more general solicitation on behalf of all government agencies.

The only odd thing I noticed in the solicitation was the exclusive license to the government of any exploit. Certainly possible but that put push the cost up several times over.

There are already private exchanges for vulnerabilities but operate in the shadows so it isn’t an efficient market. Congress should de-criminalize vulnerability exploits (unless used) so there can be an open market in vulnerabilities. Vendors and the government can compete alongside others in such a market.

One advantage to such a market is the vulnerability hunters could make a legitimate living from the sale of the fruits of their labors. Less temptation to engage in unsavory activities.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress