CIRCL - Request for Proposals for Software Services and Engineering (2025-01)
The scope of the RfP is the supply and delivery of Software Services and Engineering to CIRCL within a scope of internal software. The candidate supplier must submit an offer for a single package. The candidate supplier can select the package for which he wishes to bid. The RfP fall into the category of “MARCHÉS PUBLICS DE FAIBLE ENVERGURE”.
Package 01 - Lookyloo, Pandora development and maintenance
- Pandora framework is an open source project and an analysis framework to discover if a file is suspicious and conveniently show the results;
- Lookyloo is an open source project composed of web interface and back-end which allows users to capture a website page and then display a tree of domains that call each other;
- Lacus is an open source project for crawling;
- The supplier must handle the development of PyMISP and related toolsets in close collaboration with CIRCL team;
- PyMISP and integration with existing and upcoming CIRCL tools;
- The supplier must handle the development of the Lookyloo project, Pandora framework, Lacus and related toolsets used for analysis in close collaboration with CIRCL team;
- The supplier must handle issue tracking and resolution including specific and custom developments requested by CIRCL;
- The supplier must maintain the code including the review and merge of pull-requests from third parties;
- The supplier must evaluate and contribute to the evolution of the Lookyloo project and Pandora with CIRCL;
- The supplier must maintain the associated documentation to keep it in-line with the Lookyloo services and Pandora online services;
- The community management of the Lookyloo project and pandora framework will be handle by the supplier along with CIRCL;
- The supplier will work with CIRCL to test and maintain production systems accessible to users;
- The supplier will work with CIRCL to integrate with the incident process and toolset at CIRCL including urlabuse;
- The supplier must be inline with open source development methodologies defined by CIRCL and the Lookyloo community or Pandora;
Package 02 - vulnerability-lookup project improvement and NIS2 CVD support
- The supplier must handle the development of the vulnerability-lookup project in close collaboration with the CIRCL team.
- The supplier must manage issue tracking and resolution, including specific and custom developments requested by CIRCL.
- The supplier must maintain the code, including reviewing and merging pull requests from third parties.
- The supplier must keep the associated documentation up to date and in line with the vulnerability-lookup project.
- The community management of the vulnerability-lookup framework will be handled by the supplier in collaboration with CIRCL.
- The supplier will work with CIRCL to test and maintain production systems accessible to users.
- The supplier must adhere to the open-source development methodologies defined by CIRCL and the vulnerability-lookup community.
- Requests and updates for vulnerability-lookup must be followed up via GitHub issues.
Package 03 - Assessment of vendor statement in vulnerability disclosure
When software vendors release statements about vulnerabilities, they often provide information about the issue, its impact, and the corresponding remediation steps, such as patches, updates, or configuration changes. However, it is critical to validate these statements to ensure their accuracy and effectiveness in addressing the vulnerabilities.
- The supplier must provide a technical process to review the selected CIRCL vulnerabilities against the statements of the software vendors.
- The supplier must review statements from software vendors against the provided patches or updates to ensure they align with the vendors’ remediation efforts.
- The supplier must provide regular write-ups, in coordination with the CIRCL team, for the technical evaluation of the vendors response.
- The supplier must provide a fixed cost for the assessment process, detailing the scope of the services included and any assumptions or limitations.
Bid submission
The offers are to be submitted to info@circl.lu before the 15th January 2025 12:00 CEST in ASCII or PDF format. The offer proposal must be separated per package. A bidder can submit for one or more packages. The offer must be in EURO. The offer must at least include a description of the package proposed, technical details and clearly mention Proposal for Software Services and Engineering (2025-01).
Selection criteria
- (1) Compliance with specifications;
- (2) Pricing;
- (3) Past performance of the bider concerning technical capabilities and experience with the listed tools;
- (4) Understanding of Open Source methodologies including collaboration and community management;
- (5) Compliance with existing open source licensing;
Delivery location
The offers must include the delivery to the following addresses located in Luxembourg or via remote services for software engineering services:
CIRCL - Computer Incident Response Center Luxembourg
c/o "Luxembourg House of Cybersecurity" g.i.e.
122, rue Adolphe Fischer
L-1521 Luxembourg
Grand-Duchy of Luxembourg
Classification of this document
TLP:CLEAR information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.0 December 15th 2024 - Initial version TLP:CLEAR.