The Chief Digital and Artificial Intelligence Office’s Directorate of Digital Services (“DDS”) is seeking information related to responding to potentially widespread and critical cybersecurity vulnerabilities such as log4j. DDS wishes to address this class of problem by maintaining a “rapid response” bug bounty program, aka crowdsourced vulnerability discovery, targeting systems within the Department of Defense (DoD). The salient differentiator from typical bug bounties is that DDS desires the capability to start a bounty within very short timeframes, i.e., 1-3 days.
DDS is seeking information to extend its current bug bounty operations for the DoD into a “rapid response” mode; that is, to begin a bounty on information systems, typically to look for a widespread and critical vulnerability, within a very short timeframe, i.e., 1-3 days. Target systems could include traditional IT elements such as IP-based networks, computing systems, and applications, but also Operational Technology (OT) elements including various ICS/SCADA components and operational platforms.
We want to understand industry capabilities and interests in applying the commercial bug bounty model in a way that allows DoD to rapidly respond to critical vulnerabilities, such as the log4j vulnerability discovered in 2021. This may involve novel business/pricing models, use of technology and personnel, and potentially policy modifications.