[unisog] Security Verbage for Bids or Request for Purchase

Keith Schoenefeld schoenk at utulsa.edu
Thu Apr 14 19:08:15 GMT 2005


I am not a lawyer, but if I were a software/hardware vendor and read the 
current note, I wouldn't balk either.

I see a goal stated, a reference, then a statement discussing compliance 
with a requirement that is never stated.

I would guess that you would have more people balk if it said something 
like:

"By accepting this purchase order, you are verifying that any offer your 
company makes to VA Tech will not contain any hardware and/or software 
that is vulnerable to one or more of the 'SANS/FBI Top 20 Internet 
Threats', a listing of which is available at 
http://www.sans.org/top20.html for your review"

-- KS

marchany at vt.edu wrote:

>We've had a clause in our software purchasing contracts that requires the 
>vendor to certify their software isn't vulnerable to the SANS/FBI Top 20 
>Vulnerabilities. It's been in place since 2002 and we've only had 3 vendors 
>balk since then. I've attached a screenshot of an example.
>
>	-r.
>  
>
>
> ------------------------------------------------------------------------
>
>------------------------------------------------------------------------
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>  
>


-- 
Keith Schoenefeld
Manager of College Computer Services
College of Engineering and Natural Sciences
The University of Tulsa



More information about the unisog mailing list