CRDF Global in Ukraine шукає локальну організацію/інституцію для створення та впровадження Bug Bounty Center в Україні.

GRANT AWARD: 200,000$

DURATION OF THE PROJECT: 5 months

SUMMARY:

CRDF Global is seeking a Ukrainian organization/institution to establish the Bug Bounty Center in Ukraine and carry out piloting of the Bug Bounty Program with the use of grant funds awarded by the CRDF Global.

BACKGROUND:

An increasing number of organizations in the public and private sectors around the world use Bug Bounty models to improve their ability to detect and remediate vulnerabilities in their systems. Such use of Bug Bounty models helps organizations to improve the cyber resilience of their systems to cyber-attacks and build cybersecurity capacity through mobilizing collective efforts of many ethical hackers around the world. This, helps to improve the cybersecurity stability of national information and telecommunication systems, including critical information infrastructures, whereby increasing the level of cybersecurity globally.

CRDF Global is planning to implement a project designed to establish a pilot vulnerability disclosure program (Bug Bounty Center) for the Government of Ukraine (GOU). This project addresses a key gap in the GOU’s ability to adequately secure and tests its networks, chiefly the inability of non-governmental actors to conduct ‘white hat’ penetration testing (pentest), common in more advanced cybersecurity cultures, such as the U.S. The GOU’s inability to conduct similar testing is derived from Ukrainian legislation that criminalizes such thirdparty testing, thus hindering the GOU’s ability to safeguard its networks more effectively.

The Bug Bounty Center program provides an effective solution for overcoming these legal obstacles. In order to address the GOU’s cybersecurity needs and remain compliant with Ukrainian legislation, CRDF Global engages Ukraine’s National Security Defense Council’s (NSDC), National Coordination Center for Cybersecurity (NCCCS) to host and stand up the proposed Bug Bounty operation. Establishing the Bug Bounty Center within the NSDC/NCCCS provides cybersecurity personnel of NSDC/NCCCS, critical infrastructure, and governmental authorities the legal authority to pentest government ministries, institutions, or utilities in accordance with Ukrainian legislation.

CRDF Global is seeking a Ukrainian institution to implement the Bug Bounty Center operating in the NSDC/NCCCS. Potential Grantee should be a Ukrainian institution, whose employees should constructively engage in establishing the Bug Bounty Center in Ukraine and carry out piloting of the Bug Bounty program. The Grantee should possess significant relevant experience operating similar Bug Bounty programs and providing comprehensive cybersecurity training. For the implementation of the Bug Bounty Center, Grantee will be awarded a $200,000 grant. Granted funds can be used only for covering expenses related to the implementation of the Bug Bounty program.

SCOPE:

The Grantee shall provide services (trainings, preparing reports, etc.) and purchase necessary equipment and software for the implementation of the Bug Bounty program aimed to strengthen vulnerabilities disclosure program for the Government of Ukraine. All prepared materials and purchased hardware and software should be transferred to the NSDC/NCCCS property, including intellectual property on prepared materials. Documents preparation, as well as any purchases, should be approved by the CRDF Global and NSDC/NCCCS. 

The Grantee will closely cooperate with an SME and NSDC/NCCCS while providing mentioned above services. CRDF Global will be responsible for the coordination of Grantee’s activity as well as relationships with an SME and NSDC/NCCCS.

*TASKS AND DELIVERABLES IN THE ATTACHMENT*

GRANTEE REQUIREMENTS: 

Requirements for the staff: 

a. The Grantee shall gather a highly qualified team that includes a Key expert, cybersecurity specialists, IT engineers, and other relevant staff for the entire duration of the contract. All tasks and deliverables of the project referred to under the Statement of Work need to be covered by the team.

b. The proposed team shall include:

1. Key Expert responsible for the overall project implementation and the management of the team, consisting of a number of non-key experts with specific qualifications related to the Statement of Work (number is not limited) and including cybersecurity specialists, IT engineers, and certified pentesters.
2. General professional experience for Key Expert:
   • a minimum of five years of working experience in the cybersecurity field;
   • at least five years of experience as a Team Leader in projects with the duration equal or exceeding six months.
3. Specific professional experience for Key Expert:
   • at least three years of specific experience related to Bug Bounty projects or penetration testing;
   • language knowledge - fluent English is required;
   • proven experience of preparing capacity assessments and/or comparative analyses of Bug Bounty models/programs is required;
   • experience with the public sector in the cybersecurity field would be advantageous.
4.  Specific requirements for non-key-experts:
   • trainers - at least three years of training activities and experience in conducting cybersecurity trainings for the commercial/government sector;
   • pen-testers – should have ethical hacker certificates;
   • language knowledge - fluent English is required;
   • experience with the public sector in the cybersecurity field would be advantageous.

PROPOSAL REQUIREMENTS:

Each proposal must include:

• Statement of Interest and Technical Capabilities (Short description of Applicant, Reasons for applying, Achievements, Applicable references, and Past performance, etc.);
• Description of the proposed approach for the project implementation, including project plan based on mentioned tasks and deliverables;
• Detailed budget including: hourly rates, expected number of hours for staff plan to be engaged, hardware and software purchase estimates;
• CV(s) of all staff members to be engaged in project implementation (max. 2 pages per CV).

TIMETABLE:

{August 12^th, 2020}: RFP Questions due

{August 14^th, 2020}: RFP Questions & Answers released

{August 19^th, 2020}: RFP submissions due

{August 21^th, 2020}: Contract start date

CONTRACTOR SELECTION CRITERIA:

CRDF Global will select the Grantee that provides the best approach and experience on the project implementation. The Grantee should have proven experience working with Bug Bounty projects. The Grantee is a subject of final approval by the NSDC/NCCCS.

SUBMISSION:

Proposals should be submitted only in English to [email protected], [email protected], [email protected] no later than {6.00 pm, August 19^th, 2020, Kyiv time, GMT+3}. Proposals should be submitted as electronic documents in PDF, Word, or Excel format. Indicate the subject of the letter - ‘Grant - Bug Bounty Center (Ukraine)’.

BACKGROUND:  

Founded in 1995, CRDF Global is an independent nonprofit organization that promotes international scientific and technical collaboration through grants, technical resources, training, and services. Based in Arlington, Virginia, with offices in the Eurasia and MENA regions, CRDF Global works with more than 40 countries in the Middle East, North Africa, Eurasia, and Asia. We specialize in bringing isolated scientific communities into the scientific mainstream through a variety of science engagement and capacity-building programs. CRDF Global encourages science cooperation between countries where official relations are strained.

More information is available at www.crdfglobal.org.