Request for Proposal: Information Security Services

The Open Technology Fund (OTF) is soliciting proposals from Information Security professionals and agencies to provide services to OTF’s Red Team Lab.
Thu, 2023-07-06 07:51

Link to full RFP

Submit by September 12, 2023 to [email protected]

About OTF:

OTF is an independent 501(c)(3) non-profit corporation registered in the District of Columbia. OTF is fully funded by the U.S. Government.

OTF’s mission is to advance internet freedom in repressive environments by supporting the research, development, implementation, and maintenance of technologies that provide secure and uncensored access to the internet to enable all citizens to exercise their fundamental human rights online.

About the Red Team Lab:

OTF strives to strengthen the security of open-source software by providing services through the Red Team Lab. The lab focuses on improving the software security of projects that advance OTF’s internet freedom goals by examining code and data so the people behind the tools have what they need to create a safer experience for people facing repressive information controls online.

Scope of Services Requested

The majority of Red Team Lab projects consist of OTF-funded technology projects and other circumvention tools, messaging applications, and software libraries that are relevant to the internet freedom community. OTF-supported tools are built with a wide range of coding languages, and are audited at different stages of the software development lifecycle.

In addition to the above, the Red Team Lab acknowledges that malicious software is increasingly being introduced by repressive governments to reduce or remove its citizens’ ability to communicate safely and privately. OTF also seeks vendors capable of reverse engineering software of this nature, in order to determine the extent of undisclosed data collection. That said, please note these types of audits are not a requirement for all Lab vendors.

The scope of this contract is to provide assigned projects with security assessments based on code review, penetration testing, and end-point security.

OTF intends to award indefinite deliverable, indefinite quantity (IDIQ) contracts to multiple vendors with a performance period of one year, with the option to extend for an additional year. The maximum ceiling for an awarded IDIQ agreement will be $250,000 for the first year and another $250,000 for the option year should OTF choose to exercise the option year. Following the award of IDIQ contracts to selected vendors, work will be ordered on a per-work-order basis as needed, and OTF does not guarantee that the full ceiling value of the IDIQ contract will be used.

Primary Services:

Vendors are expected to meet at least one of the four primary requirements, which are Security Services, Cryptography Services, Forensics Analysis, and/or Software Health Check.

Applicants should specify in their application which of the four services below they want to provide. Please be advised that applicants don’t need to meet all listed bullet points under each category and should specify which of the listed sub-services they’re able to provide.

I – Security Services for Web, Server, Mobile, Embedded & General Software Application

–Threat Modeling, with a care towards harm reduction for high-risk users

–Design & Architecture Review

–Application Abuse & Logic Testing

–Application Security Testing and Source Code Review

–Penetration Testing (Application and Network)

–Blackbox testing

–Reverse Engineering

–Vulnerability Assessments

–Network Analysis

–DDoS Testing & Mitigation

–Threat Detection

–Incident Response

–Where applicable, examining of hardware security posture during analysis

–Publishing mitigations to known vulnerabilities

–Training of best practices in the above requirements.

II – Cryptography Services

–Existing Design, Architecture, & Implementation Review

–New Design & Implementation Assistance

–Protocol Review

–Product Review

–Reverse Engineering

–Publishing mitigations to known vulnerabilities

–Training in the design and implementation of cryptographic code and protocols.

III – Forensic Analysis

–Technical investigations

–Reverse engineering of apps and tools

IIIV – Software health check

–Investigation into the agility of software

Support Services

In addition to the Primary Service Categories, service providers must be able to provide the following Support Services:

–Work with OTF staff and project maintainers (where possible) with advice on fixing found vulnerabilities

–Work with OTF staff to offer initial, quick, and informal assessments of apps, without them needing to be an extensive and fully formal audit report.

–Prepare final reports and discuss any findings with OTF staff and project maintainers. Reports are made public if all parties to the audit agree.

–Provide ad hoc expertise and input to OTF regarding aspects of Information Security, cryptography, and/or network protocol review.

–Work with awarded projects to appropriately scope out each Red Team Lab engagement in a way that acknowledges users in high-risk contexts (for example, activists targeted by nation state actors). OTF expects auditors to critically examine proposed project scopes and make suggestions as appropriate.

Proposal Submission

Submit by September 12, 2023 to [email protected]

Information to be submitted in your Proposal must include:

1) An overview of the business enterprise;

2) Biographical sketches or CVs of the key employee(s) and staff who would be assigned to this project;

3) Specify the category/categories of work you are applying for;

4) Vendor’s relevant qualifications, including specific experience with different kinds of security auditing, penetration testing, and code review; and any relevant experience working with the activism, human rights, and the internet freedom community;

5) Specify how you’ll be able to meet the support service requirements listed above;

6) Specify if you are willing to analyze software created by certain governments;

7) Specify if your team has the bandwidth to meet the time commitment required for this Lab (auditors conduct an average of 4-10 audit engagements per contract which each include auditing, remediation testing, and reporting)

8) Specify or attach your responsible disclosure policy (especially important for those looking to audit government-mandated software);

9) Specify or attach your privacy and data protection policies, with special attention on your procedures to protect the privacy and security of projects you work with;

10) Other services your vendor provides, if any;

11) Five client references of similar work performed, with at least one provided from an individual or group working within the Internet Freedom community.

12) Acknowledgement that the vendor accepts the Standard Provisions in Appendix A.

Pricing

Provide a fully-burdened hourly rate for providing services to Open Technology Fund on a per-work-order basis. If you are providing a discount on your regular commercial rates, please also provide those commercial rates for comparison. OTF will not be separately covering materials, indirect (G&A), or incidental costs, so please ensure your hourly rate will cover all costs associated with the services to be provided.

Individuals can contact [email protected] with questions regarding this RFP. As OTF practices full and open competition, all questions, and the answers to those questions, will be consolidated into a single document and posted publicly along with this RFP. This document will not include any personally identifiable information.

If it becomes necessary to revise any part of this RFP, an Addendum will be posted publicly and provided to each vendor that received the original RFP.

Restrictions on the use of data contained within a proposal must be clearly stated. Due to OTF’s evaluation process for RFPs, it cannot sign non-disclosure agreements with any bidder. All material submitted regarding this RFP becomes the property of OTF and will only be returned to the bidder at OTF’s option.

All costs incurred in the preparation of the proposal response to this RFP will be the responsibility of the responding vendors and will not be reimbursed by OTF.

Schedule of Activities

July 6, 2023: RFP announced

September 12, 2023: Proposal submission due

Selection Process

The criteria for selection of the successful proposal will include adequacy and completeness of the proposal, general experience, qualifications, review of prior work, and response from references. Those short-listed may be requested to attend brief follow-up calls. Although the price will be an important factor, it will not be the only factor considered.

OTF reserves the right to accept or reject any or all bids, to take exceptions to the RFP specifications, and to waive any requirements stated herein.

OTF reserves the right to make an award based solely on the proposals or to negotiate with one or more vendors. Issuance of this RFP, preparation, submission, and evaluation of bidder responses does not commit OTF to award a contract to any vendor. The award of the IDIQ contract does not guarantee the award of work orders under that contract, which will vary based on need and availability. OTF reserves the right to cancel or modify this solicitation at any time for any reason within its sole discretion without liability.

Frequently Asked Questions

We’ll be updating this section as we get questions throughout the RFP process.

Is OTF interested in working with NGOs or organizations other than security firms as part of the Red Team Lab?

Yes. OTF is accepting applications from enterprise security firms, NGOs, hackerspaces, and other kinds of cooperatives that will help meet the primary purpose of the Lab, which is to improve the security and privacy posture of OTF-supported projects.

What if security consultancy isn’t the primary focus of my organization?

The Lab is currently set up in such a way where the primary outputs are vulnerability disclosures and audit reports which are made available publicly to the internet freedom community, and that is an expectation for Red Team Lab vendors to meet. If your organization is interested in and is able to provide those services, then you’re qualified to apply. Any creative solutions, processes, or expertise you bring to the table will be considered as part of the review process.

Does OTF have expectations for their Red Team Lab vendors beyond traditional security consultancy work?

As OTF supports projects aimed at assisting high-risk internet users, we expect Red Team Lab vendors to scope out projects and examine code with them in mind, and look forward to reviewing how applicants approach this challenge.

Are RFP applicants all expected to opt-in to conducting public safety audits (audits where Red Team Lab partners analyze state-mandated software?)

Public safety audits are only one of the audit categories in this lab. OTF does not expect all RFP applicants to express interest in this category.

Is OTF willing to negotiate anonymity for public safety auditors as part of the RFP review process?

OTF expects public safety auditors to manage the coordinated disclosure process for all engagements. The question of vendor anonymity depends on what each applicant’s disclosure process entails.

Will client references be published anywhere?

No. OTF does not publish references or the contents of RFP application packages as a rule.

Link to full RFP