In an invitation for bid (IFB) released Friday on the California State Government Marketplace, the California Department of Technology seeks fixed price bids, or solicitations, for Bugcrowd’s “security platform Software as a Service (SaaS).” Founded in 2012 in Australia and “flipped” to the U.S. the following year per its website, the company’s products cover penetration testing, bug bounties, vulnerability disclosure and attack surface management. Bugcrowd, which has offices in San Francisco, launched its Security Knowledge Platform in 2014. Among the takeaways:
- The IFB is a renewal for the “Bugcrowd Security Platform,” it said. The state’s subscription/membership enables it to utilize the “web-based platform that connects companies with researchers testing their applications” and it supports CDT’s Security Operations Center (SOC) by providing “security testing to help prevent malicious attacks.” If a renewal isn’t approved, the IFB said, “the impact to other state entities could be potentially major leaving the state network infrastructure increasingly vulnerable to potential malicious activity.” CDT uses Bugcrowd, which it characterized as a “SaaS subscription,” to connect entities and security researchers for app testing. It also uses the platform for “targeted application testing” on state assets; and if renewed, the subscription would enable CDT to continue using the “Statewide Vulnerability Disclosure Program and manage risk via the Attack Surface Management Portal.”
- The contractor ultimately chosen will be responsible for “successful performance of all subcontractors and support services.” The state will consider the contractor selected its “sole point of contact” on contractual matters. Among other contractor responsibilities, the company must “allow and coordinate testing” yearly with CDT staff around “performance, functionality, and availability testing of the secondary backup site”; must have a secondary site as a “backup, failover and redundancy site” that’s at least 250 miles from the primary production location; on continuity testing, must provide the state with a copy of its “ISO 22301 certification,” including a third-party attestation to the contractor’s “process to validate continuity and recovery capabilities”; and let the state run acceptance testing “concerning application use during the period of fail-over testing.” The contractor must ensure support is provided by Bugcrowd throughout the agreement’s term.
- Requirements for respondents include all cost data asked for, in the format set by the cost workbook; and all areas of response labeled “mandatory” or “mandatory optional.” Respondents must also include a cover letter with their final bid, on letterhead, containing their “binding offer,” good for 120 calendar days from the scheduled award date; a statement “indicating the bidder has available staff with the appropriate skills to complete the agreement for all services and provide all deliverables”; and it must be signed by someone authorized to “bind the proposing firm contractually.”
- Once approved by CDT, the agreement’s term will be a “three-year base term.” No value is stated for any potential contract. Written questions are due by 2 p.m. Friday. Bid upload instruction requests are due by 2 p.m. June 14. Final bids are due by 2 p.m. June 16. Dates for negotiations, best and final offer submissions and award notification haven’t been set. However, the agreement execution date has been set as June 30. The contract will run from approval through June 14, 2026.
