Vulnerability Disclosure Program Enterprise Management System (VDP EMS)

During the RFI phase of this requirement, two questions were received. The questions and answers are provided below. Please review the Q&A and keep them in mind when the official solicitation is published. This RFI has NOT been extended further.

Question 1: Is the Government specifically seeking vendors who can provide a proprietary, crowdsourced VDP platform license (e.g., HackerOne, Bugcrowd), or will you also consider integrators who can deliver compliance, security automation, and Microsoft Sentinel-based triage/reporting workflows in partnership with a platform provider?

DC3 is directly seeking a proprietary, crowdsourced VDP platform license; Hackerone, BugCrowd, SynAck. Anything outside of this would impact mission success.

Question 2: Can you clarify the “250 crowdsourced vulnerability - bug tag and annual mailings”? Understand the concept here is that we would be responsible for the logistics and shipping of any DC3 provided items used to recognize researchers.

This would be in regard to delivering “swag” (inexpensive tangible goods like stickers, coins, t-shirts) to the researcher community. Specifically, DC3 disseminates “swag” for things such as “hacker of the month” or “hacker of the year.” The vendor will be responsible for distributing the “swag” on DC3’s behalf (verifying mailing addresses, packaging swag, paying for the shipping, getting the swag to the shipper, etc).

End Questions and Answers

---------------------------------------------------------------------

The Department of Defense Cyber Crime Center (DC3) is conducting market research for an enterprise management system to support its Vulnerability Disclosure Program (VDP) and Defense Industrial Base (DIB) VDP. The system shall facilitate collaboration, compliance, and management of the VDPs. Key requirements include:

• Enterprise-grade VDP platform license/subscription for two instances (DoD VDP and DIB VDP).


• Vulnerability submission and management workflows.


• Integration, via API, with DC3's Atlassian Jira-based Vulnerability Report Management Network (VRMN) systems.


• Mediation support for researcher inquiries.


• Tools and processes for effective vulnerability triage and resolution (e.g., CVSS scoring).


• Advanced analytics and custom reporting capabilities.


• Dedicated account team with customer support and customer success functions.

Interested vendors are encouraged to review the attached draft Performance Work Statement (PWS) for detailed requirements and provide feedback on the PWS.

7/14/2025 - Amended solicitation to extend response due date to 18 Jul 2025.