[unisog] Security Verbage for Bids or Request for Purchase

Keith Schoenefeld schoenk at utulsa.edu
Thu Apr 14 19:08:15 GMT 2005

I am not a lawyer, but if I were a software/hardware vendor and read the 
current note, I wouldn't balk either.

I see a goal stated, a reference, then a statement discussing compliance 
with a requirement that is never stated.

I would guess that you would have more people balk if it said something 

"By accepting this purchase order, you are verifying that any offer your 
company makes to VA Tech will not contain any hardware and/or software 
that is vulnerable to one or more of the 'SANS/FBI Top 20 Internet 
Threats', a listing of which is available at 
http://www.sans.org/top20.html for your review"

-- KS

marchany at vt.edu wrote:

>We've had a clause in our software purchasing contracts that requires the 
>vendor to certify their software isn't vulnerable to the SANS/FBI Top 20 
>Vulnerabilities. It's been in place since 2002 and we've only had 3 vendors 
>balk since then. I've attached a screenshot of an example.
>	-r.
> ------------------------------------------------------------------------
>unisog mailing list
>unisog at lists.sans.org

Keith Schoenefeld
Manager of College Computer Services
College of Engineering and Natural Sciences
The University of Tulsa

More information about the unisog mailing list