Bug Bounty Program Services

If the company is registered in the commercial register or a comparable register in the country of origin, submission of a copy of the extract from the commercial register or equivalent proof from the respective country of origin (not older than 90 days at the time of expiry of the tender deadline) at the request of the client (SPRIND GmbH) after expiry of the tender deadline is required. For foreign documents that are not written in German or English, a simple translation into German or English must be enclosed.

Self declaration to undertake to take out and maintain business liability insurance with the coverage amounts specified below in the event of an award. Insurance coverage shall be provided without restriction and in full for the entire duration of the contact. The sum insured is available twice per annum. Financial loss, personal injury, property damage: At least EUR 1,0 million each claim. Please use the relevant form "Part A_Appendix 01_Self-declarations and evidence".

Self-declaration regarding the company's total turnover and from the business area for "Bug Bounty Program Services" (area of activity of the contract to be awarded) (EUR / net) in the last three completed financial years. Please use the relevant form "Part_Appendix 01_Self-declarations and evidence".

At least three references from reference provider (RP) for the performance of comparable services (successfully bug bounty programs services for government agencies or operators of critical infrastructure (KRITIS) since January 1, 2023, (it is sufficient that the comparable services were also provided in the reference period in the specified reference project, e.g., a reference that began on January 1, 2022, and ended on February 1, 2023, would be sufficient) are to be provided. Only references to successfully bug bounty program services for government agencies or operators of critical infrastructure (KRITIS) are permitted. Each referenced bug bounty program needs to have at least 10 successful bounty payments and needs to be on a bug bounty platform with at least 1,000 security researchers on it. Each reference must be either completed or ongoing. In the case of an ongoing reference specifications of the planned/contractual project duration and information on the current status must be included. The reference providers must be government agencies or operators of critical infrastructure (KRITIS). For verification purposes, at least one reference must include the contact details of a responsible person at the respective company (reference provider), i.e., name, telephone number, and/or email address. Minimum requirements for each reference are therefore: 1. Since January 1, 2023 2. Completed and ongoing reference; if ongoing, specifications of the planned/contractual project duration and information on the current status of the reference project must be included 3. The respective reference must include successfully bug bounty program services for government agencies or operators of critical infrastructure (KRITIS) 4. Each referenced bug bounty program needs to have at least 10 successful bounty payments 5. Each referenced bug bounty program needs to be on a bug bounty platform with at least 1,000 security researchers on it 6. For all 3 references the name and address of the reference provider must be entered/provided. 7. At least one reference must also include the contact details of a responsible person at the respective company (reference provider), i.e., name, telephone number, and/or email address. 8. Of the three references, at least two must be from different reference providers 9. Self-references, i.e. references where the reference provider is the tenderer or a member of the tendering consortium itself, are not permitted and will not be accepted as valid references. Please use the relevant form "Part A_Appendix 01_Self-declarations and evidence".

Self-declaration that the relevant company is certified to ISO/IEC 27001, SOC2 Type 2 or equivalent. SPRIND GmbH reserves the right to request a copy of the certificate and in case of an equivalent certificate, additionally the justification/evidence that this certificate is equivalent after deadline for tenders has passed. Documents that are not in German or in English must be translated in German or in English.