Service New South Wales intends to set up a vulnerability disclosure program and bug bounty for security researchers and has issued an official tender for that purpose.
Four core objectives are set out by Service NSW:
- A vulnerability disclosure program (VDP)
- A private bug bounty program
- Program and researcher management
- Technical considerations and training
The VDP will have a structured framework for external security researchs to responsibly report vulnerabilites, and must be applicable to all production services and endpoints within Service NSW.
An invite-only private bug bounty program is also part of the tender.
This would enable a select group of security researchers to identify and report vulnerabilities in particularl systems, with bounties potentially provided for accurate, unique and valid responses that are within scope of the program.
The contract-winning supplier is expected to design, implement and manage the private bug bounty program for Serivce NSW, including vetting the external security researchers.
How much the ethical and white-hat hackers can be expected to be rewarded with was not set out in the tender documentation.
Service NSW expects the platform provided and data to be hosted within a secure service, with a monthly uptime of 99.95 per cent.
Solution requirements include access via security assertion markup language (SAML) single sign on (SSO)) and Okta for corporate users.
The solution should integrate with external systems which is Service Now, Microsoft Teams, PagerDuty, Slack and webhook event driven callbacks.
Maintenance of the ISO / IEC 27001 international information security management standard and system and organisation control Type 2 attestion are other requirements.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
