Project Detail

Description

STATEMENT OF USER NEED

UNDERSTANDING

Credit will be given to bidders who read and understand all of the Statement of User Need. Standard replies and missing information will receive a negative inference.

The successful builder will:

1. Knowledge Base. Have extensive knowledge and understanding of the Source Code Escrow process (also known as Software Escrow). http://en.wikipedia.org/wiki/Source_code_escrow

2. Current Agreements. Have standing Source Code Escrow agreements with other customers. (Desirable)

3. Cryptography. Have an expert understanding of encryption and cryptographic techniques to government standards.

4. Outright Sale. Agree that the company [EscrowProtect] will own the software, and all associated IPR, outright, including but not limited to the source code and all associated components. There will be no EULA. All rights to license, copy, alter or re-sell will be passed to the company on receipt of the final payment.

5. Support Solution. Do not include a support solution in your initial bid. Bidders are to quote this cost separately if they intend to provide it.

BRIEF

Develop a software application that will allow software developers to “deposit” source code in a organised, simple and consistent way. It must be efficient, tidy and easy to use.

The application will reside on a flash memory device and prompt the user through the complete process. It must be consistent, yet flexible enough to deal with every possible type of deposit. This will ensure that all the critical and added value information is reliably captured:

E.g. Version Numbers, ESCROW Agreement number, expected size (used for gross error checks), designer's contact details, Source Code Platform, Operating System, special tools (e.g. compression), passwords, operating manuals, special instructions, etc. etc.

At the end of the process the application will encrypt the code and extra information ready for safe transmission to the ESCROW agent. The encryption must be unbreakable and must require another physical device (holding the key), held only by the ESCROW agent, to successfully decrypt the software.

NEXT STEPS

The next step in the Escrow process is for the deposit to be verified. The bidder coming up with the clearest and most imaginative ideas for automating (as far as is possible) the next part of this process is highly likely to win the bid. Remember, it is not testing the software in the traditional sense, it is testing for integrity and completeness.

There is a possibility to do this process online. Bidders will be asked to comment on the pros and cons of this approach.


Additional information submitted:

10/17/2009 at 13:52 EDT:
Developer Agrees:

1. to have his code put in ESCROW by EP and signs an online agreement. [Standard Agreement]
2. when the source code can be released to end user and signs online. [Release Clauses]
3. what information he will supply; and, agrees to keep it up to date. [Key Disaster Recovery Info & Notifiable Occurrences]
4. that he will update the code on certain triggers: new version, significant minor updates and/or every 1/2/3/4 months. [Update Trigger]

Then:

1. Developer follows on screen prompts, fills out carefully crafted online forms (GUI) and selects a file for upload.
2. The data is compressed and encrypted using a public key.
3. The data is held on a central server. Developer and End User can "see" the files via a password protected account & login, and, even download them (if he wants to). Neither can decrypt.
4. Data is mirrored on server - 2nd level security (1st is the encryption).
5. Automated 1st integrity check is carried out (0kb files, source code present when flag is set from upload, plus other clever stuff we can think of)
6. Server is backed up to SSD after every upload and weekly using Grandfather, Father, Son. - 3rd level security.
7. An Update Trigger occurs.
8a. An automated email is sent to developer and end user with links etc.; or
8b. Developer initiates update as part of the agreement (e.g. version upgrade).
9. The developer chooses fresh upload, individual files or clicks to say no update is necessary in accordance with the agreement.
10. repeat 1 to 6.
11. A release event occurs.
12. ESCROW agent decrypts code.
13a. End User downloads code to main site to begin immediate disaster recovery; or
13b. Code is held awaiting the appointment of a new developer.

Finally.

Company offers further verification services:

Bronze: Test download and human-check of data.
Silver: Rebuild at 3rd party site (trusted verifier)
Gold: Rebuild at End Users site.

Thanks,

Chris.