CRDF Global is seeking an institution or an individual SME (subject matter expert) to mentor Ukraine grantee institution in establishing the Bug Bounty Center and carry out piloting of a Bug Bounty program for the Government of Ukraine.

SUMMARY:

CRDF Global is seeking an institution or an individual SME (subject matter expert) to mentor Ukraine grantee institution in establishing the Bug Bounty Center and carry out piloting of a Bug Bounty program for the Government of Ukraine.

BACKGROUND:

An increasing number of organizations in the public and private sectors around the world use Bug Bounty models to improve their ability to detect and remediate vulnerabilities in their systems. Such use of Bug Bounty models helps organizations to improve the cyber resilience of their systems to cyber-attacks and build cybersecurity capacity through mobilizing collective efforts of many ethical hackers around the world. This, helps to improve the cybersecurity stability of national information and telecommunication systems, including critical information infrastructures, whereby increasing the level of cybersecurity globally.
CRDF Global is planning to implement a project designed to establish a pilot vulnerability disclosure program (Bug Bounty Center) for the Government of Ukraine (GOU). This project addresses a key gap in the GOU’s ability to adequately secure and tests its networks, chiefly the inability of non-governmental actors to conduct ‘white hat’ penetration testing (pentest), common in more advanced cybersecurity cultures, such as the U.S. The GOU’s inability to conduct similar testing is derived from Ukrainian legislation that criminalizes such third-party testing, thus hindering the GOU’s ability to safeguard its networks more effectively.
The Bug Bounty Center program provides an effective solution for overcoming these legal obstacles. In order to address the GOU’s cybersecurity needs and remain compliant with Ukrainian legislation, CRDF Global engages Ukraine’s National Security Defense Council’s (NSDC), National Coordination Center for Cybersecurity (NCCCS) to host and stand up the proposed Bug Bounty operation. Establishing the Bug Bounty Center within the NSDC/NCCCS provides cybersecurity personnel of NSDC/NCCCS, critical infrastructure, and governmental authorities the legal authority to pentest government ministries, institutions, or utilities in accordance with Ukrainian legislation.
CRDF Global is seeking at least one Local or International institution to support training and mentorship for Bug Bounty Center personnel operating in the NSDC/NCCCS. Potential Contractor can be Local/International organization, whose employee white hat hackers that can constructively engage in vulnerability assessments, or be an individual SME. The Contractor should possess significant relevant experience operating similar Bug Bounty programs and providing comprehensive cybersecurity training globally.

SCOPE:

The Contractor shall provide mentoring and training services as well as recommendations, assessment, and relevant expertise during the establishment of the Bug Bounty Center aimed to strengthen vulnerabilities disclosure program for the Government of Ukraine. The Contractor will closely cooperate with a grantee institution and NSDC/NCCCS while providing mentioned above services. CRDF Global will be reposnible for the coordination of contractor’s activity as well as relationships with a grantee institution and NSDC/NCCCS.

CONTRACTOR REQUIREMENTS:

Requirements for staff

1. For an institution:

a. The Contractor shall gather a highly qualified team that includes an SME (subject matter expert) or propose a separate SME for the entire duration of the contract. All tasks and deliverables of the project referred to under the Statement of Work need to be covered by the team or a separate SME.

b. If the Сontractor proposes the team, it shall include:

i. key expert (SME) as a Team Leader, responsible for the overall project implementation and the management of the team;

ii. a quantity of non-key experts with specific qualifications related to the Statement of Work is not limited.

c. If the Сontractor proposes a separate SME, he/she should be responsible for the overall project implementation and have specific qualification related to the Statement of Work.

d. General professional experience for Key Expert:

i. a minimum of five years of working experience in the related field;

ii. at least three years of experience as a Team Leader in projects with the duration equal or exceeding 6 months.

e. Specific professional experience for Key Expert/SME:

i. at least three years of specific experience related to Bug Bounty projects;

ii. at least three years of training activities;

iii. experience with the public sector in the cybersecurity would be advantageous;

iv. basic knowledge of Russian/Ukrainian and experience of working on the territory of ex-USSR countries would be advantageous;

v. proven experience of preparing capacity assessments and/or comparative analyses in the area of Bug Bounty models/programs is required.

2. For an individual SME

a. The Contractor shall be available for the entire duration of the contract. All tasks and deliverables of the project referred to under the Statement of Work need to be covered by the Contractor.

b. The Contractor should be responsible for the overall project implementation and have specific qualifications related to the Statement of Work.

c. General professional experience for the Contractor:

i. a minimum of five years of working experience in the related field;

ii. at least three years of experience as a Team Leader in projects with the duration equal to or exceeding 6 months.

d. Specific professional experience for the Contractor:

i. at least three years of specific experience related to Bug Bounty projects;

ii. at least three years of training activities;

iii. experience with the public sector in the cybersecurity would be advantageous;

iv. basic knowledge of Russian/Ukrainian and experience of working on the territory of ex-USSR countries would be advantageous;

v. proven experience of preparing capacity assessments and/or comparative analyses in the area of Bug Bounty models/programs is required.

PROPOSAL REQUIREMENTS:

Each proposal must include:
• Statement of Interest and Technical Capabilities (max. three pages)
• Short description of the proposed approach for project implementation (max. two pages)
• Cost proposal, which should include information about staff hour rate and number of hours that could be spent on the project implementation*
• CV(s) (max. 2 pages per CV)
• List of recent experience in the Subject Matter area and applicable references/past performance.

*Travel and lodging expenses for the Key expert/SME will be covered by CRDF Global and should not be included in the budget.

TIMETABLE:

{August 5th, 2020}: RFP Questions due

{August 7th, 2020}: RFP Questions & Answers released

{August 11th, 2020}: RFP submissions due

{August 14th, 2020}: Contract start date

SUBMISSION:

Proposals should be submitted to [email protected] & [email protected] or [email protected], no later than {6.00 pm, August 11th, 2020, Kyiv time, GMT+3}.

Proposals should be submitted as electronic documents in PDF, Word, or Excel format. Indicate the subject of the letter - ‘Bug Bounty Center proposal’.