Security Review and Remediation of the RFC Production Center Web Accessible Code RFP

IETF Administration LLC Executive Director <exec-director@ietf.org> Fri, 27 September 2019 18:19 UTC

Return-Path: <exec-director@ietf.org>
X-Original-To: ietf-announce@ietf.org
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7736412091D for <ietf-announce@ietf.org>; Fri, 27 Sep 2019 11:19:06 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: IETF Administration LLC Executive Director <exec-director@ietf.org>
To: "IETF Announcement List" <ietf-announce@ietf.org>
Subject: Security Review and Remediation of the RFC Production Center Web Accessible Code RFP
X-Test-IDTracker: no
X-IETF-IDTracker: 6.103.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: ietf@ietf.org
Message-ID: <156960834644.12364.18084012531656981969.idtracker@ietfa.amsl.com>
Date: Fri, 27 Sep 2019 11:19:06 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/zAQ7x-RKo5iRrKnOF9xtg3mrxJ0>
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-announce/>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2019 18:19:07 -0000

The IETF Administration LLC (IETF LLC) is soliciting proposals ("Proposals") for the
Security Review and Remediation of the RFC Production Center Web Accessible 
Code RFP.  The RFP is located at:  https://ietf.org/about/administration/rfps/ 
 
Please note the following:

Timeline:

27 Sep:	RFP Issued
04 Oct:	Questions and Inquiries deadline
07 Oct:	Answers to questions issued, RFP Addenda and Update issued
14 Oct:	Proposals due
21 Oct:	Selection made, negotiations begin
01 Nov:	Contract execution
08 Nov:  Work begins

Overview 

The RFC Production Center (RPC) currently maintains a private CVS repository that
houses the code for the RFC Editor website and the public web services provided
there, as well as staff-only web services, command line tools, and utilities used 
by the RPC. There is an effort to move this repository to one that is open to the
public to bring the resources of the Tools Team and volunteer developers to bear
on evolving the codebase. An important first step in this move is inspecting the
code for the web services to ensure the released code does not advertise any
obvious security vulnerabilities, such as SQL insertion attacks against the 
underlying databases.
 
It is not known if there are any such vulnerabilities in the current codebase.
However, it is known that the source contains at least one embedded password
used for communicating with the datatracker. One possible output of this project 
is a report that the codebase is ready to move into the open with only simple 
modifications to address embedded passwords.

Please reply with questions, if any, and a bid if you are interested in pursuing this 
opportunity to ietf-rfps@ietf.org. 

Thanks in advance.

Portia Wenze-Danley
IETF LLC Interim Executive Director