Requirement: Vulnerability Research Services on Commercial Off-The-Shelf (COTS) Software
Location: Off-Site
Cost Not to Exceed: EUR 128,700 per contract
Total Scope of the Request (hours): 800 working hours (minimum)
Period of Performance: June 2026 - 18 December 2026
Required Start Date: ASAP
End Contract Date: 18 December 2026
Required Security Clearance: NATO UNCLASSIFIED
Please do NOT apply for any NATO contract positions unless you meet ALL the following criteria:
- Current National or NATO SECRET clearance
- Nationality of one of the NATO member countries
- Current work visa for the specific location if applying for an in-country position
Background and Objective
- This Statement of Work (SoW) is issued by the NATO Communications and Information Agency (NCIA) to procure highly specialized vulnerability research services targeting Commercial Off-The-Shelf (COTS) software products. The objective of this procurement is to enhance NATO's cyber defence posture by identifying previously unknown vulnerabilities, including complex, chained, and non-trivial security weaknesses, within selected software systems.
- This requirement goes beyond conventional penetration testing and instead focuses on long-duration, deep technical analysis. The Contractor shall apply advanced vulnerability research techniques to develop a comprehensive understanding of the security posture of the designated targets. The output of this work will directly support NATO's defensive, analytical, and operational cyber capabilities.
- Due to the specialized and exploratory nature of vulnerability research, the services shall be procured under a Level of Effort (LOE) professional services model.
Product Scope
The exact target in scope of this contract will be provided following contract award and will be within the following categories:
- Network Security: routers/switches, Load Balancers, VPN gateways/concentrators, Firewalls.
- Perimeter/Edge Security: Secure Web Gateways (SWG), Secure Email Gateways (SEG).
- Endpoint Security: MDM (Mobile Device Management).
- Application Security: WAF (Web Application Firewall).
The Contractor shall perform advanced vulnerability research, including but not limited to:
- Reverse engineering of binaries, firmware, or protocols.
- Static and dynamic analysis.
- Fuzzing and variant analysis.
- Manual code review (where applicable).
- Exploit development and validation.
- Chaining of vulnerabilities into realistic attack scenarios.
- The Contractor shall procure any required software licenses as agreed with the Purchaser and establish a secure testing environment within NATO member states. All activities must be conducted in isolated environments under the Contractor's control.
- Software license costs incurred by the Contractor in the performance of this contract may be charged to the applicable CLIN 1.1 for hourly labor rates, provided that the aggregate value of such software license costs does not exceed five percent (5%) of the total contract value. Any software license costs charged under this provision shall result in a corresponding reduction in the number of labor hours available under the CLIN, calculated based on the applicable fully burdened hourly labor rates. The total amount billed under the contract shall not exceed the funded value of the contract as a result of these charges.
- Any costs higher than 5% of total contract value will be procured and provided by the Purchaser.
- Purely automated scanning without manual validation.
- Reporting of low or informational findings without exploit relevance.
- Denial-of-Service (DoS) vulnerabilities unless explicitly approved.
- Compliance-only assessments.
The Contractor shall adopt a research-driven methodology on COTS software designated by NCIA. The methodology may cover the following:
- Target Analysis.
- Vulnerability Discovery: Combination of automated and manual techniques (Reverse Engineering, fuzzing, static and dynamic analysis, protocol analysis, etc.); emphasis on novel attack vectors.
- Validation and Exploitation: Proof-of-concept (PoC) development; demonstration of real-world impact.
- Chaining and Impact Analysis: Development of multi-step attack chains where applicable; clear articulation of impact (e.g., RCE, lateral movement).
- False Positive Elimination: All findings must be validated and reproducible.
Technical Approach:
- Demonstrated understanding of the requirements and scope of this solicitation.
- Confirmed compliance with each mandatory technical requirement, including the ability to establish a secure testing environment within NATO member states.
- Proof of adequate manpower and resources to execute the contract over the period of performance.
- Proposed and described research-driven methodology covering target analysis, vulnerability discovery, validation and exploitation, chaining and impact analysis, and false positive elimination.
- Publicly disclosed vulnerabilities (e.g., CVEs) within the last 24 months.
- Technical write-ups, blog posts, conference presentations, or private reports/documents demonstrating vulnerability research capability.
- Demonstrated experience in at least one of the following product categories: Network Security (routers/switches, Load Balancers, VPN gateways/concentrators, Firewalls); Perimeter/Edge Security (Secure Web Gateways, Secure Email Gateways); Endpoint Security (MDM); or Application Security (WAF).
- Demonstrated capability in exploit development, including Remote Code Execution (RCE) chains.
- Demonstrated capability in reverse engineering of native code, firmware, or embedded systems.
- Demonstrated capability in modern vulnerability classes including memory corruption, logic flaws, authentication bypass, and related weaknesses.
