USAID Financial Sector Transparency Activit (FSTA) Request for Quotations #005-04/24/FSTA a penetration test for the Retail Platform web application and its infrastructure in a controlled manner.

USAID Financial Sector Transparency Activit (FSTA) Request for Quotations #005-04/24/FSTA a penetration test for the Retail Platform web application and its infrastructure in a controlled manner.


1.   Background

International Development Group LLC (IDG) is an international development company with extensive experience in implementing aid projects and conducting evaluations in various countries around the world. IDG's assistance programs aim to build capacity, knowledge and skills of both individuals and public and private institutions in the financial sector, strengthening the synergy between local knowledge and international standards.

IDG is implementing the project Financial Sector Transparency in Moldova (FSTA), with the financial support of the United States Agency for International Development (USAID). The project is implemented from September 2019 to August 2024, focusing on strengthening the financial sector and improving transparency through the following objectives:

  • Strengthening the capacity of the Government of Moldova and the National Bank of Moldova to combat financial crime;
  • Capacity Building and support for the Central Securities Depository of Moldova;
  • Capacity Building and support for the National Commission of Financial Markets of Moldova;
  • Assisting the Ministry of Finance in improving budgetary transparency and expanding the government securities market;
  • Conducting information campaigns to inform beneficiaries and the general public about financial sector reforms, made possible with the assistance of the USAID FSTA Project.

Supporting the development of a government securities retail market is one of the Project’s major objectives. This will be achieved through the implementation of an online platform for the direct sale of government securities to individuals. The platform will be owned by the Republic of Moldova and operated and managed by the Ministry of Finance (MoF)of the Republic of Moldova.

The Retail Platform is intended to be a platform used by wide public audience, which will manage investors personal and financial data. Therefore, prior to make it available for public use, it is crucial to conduct a proper evaluation of the system security level, aiming to assess the efficiency of the existing security measures, as well as detect any potential vulnerabilities and weak spots related to the infrastructure, code, or configurations. The timely identification of weaknesses before the system is put into production, will enable taking all necessary preventive and proactive security measures, in order to strengthen the system’s security protection, and ensure cyber defense.

2.   Request for Quotations – Services

Under the Prime Contract with the USAID, IDG invites qualified vendors to submit quotations/bids for conducting a simulation of a real-world hacker attack on the Retail Platform web application and its infrastructure in a controlled manner, using publicly known approaches and techniques to identify security weaknesses, attempt their exploitation and assess the impact of the compromise.

The specific objectives of the pen-testing activities are the following:

  • Identify security weaknesses that can compromise business and technical data used for providing the business services on the Retail Platform (user account profile and data stored in back-end database service);
  • Identify security weaknesses that can compromise the Retail Platform web application functionality; and,
  • Identify security weaknesses that can compromise the web application platform (web server, database management service, billing service, smpt service, etc.).

 The work is expected to be completed by the beginning of July 2024.

1.     RFQ No.


2.     Issue Date

April 4th, 2024

3.     Title

Penentration Testing of the GS Retail Platform Investor Application

4.     Issuing Office, Email/Physical Address for Submission of Quotations

Financial Sector Transparency Activity (FSTA)

International Development Group Advisory Services, LLC Dover, Chisinau branch;

5.     Deadline for receipt of questions

April 10th, 2024; 11:00 AM (Moldovan time)

All communications regarding this solicitation are to be made solely through the Issuing Office and must be submitted via email no later than the date specified above. All questions received will be compiled and answered in writing and distributed to all interested Offerors.

6.     Deadline for receipt of quotations

 April 12th, 2024; 12:00 PM (Moldovan time)

7.     Anticipated Award Type

The anticipated specific terms and conditions are as follows:

Firm Fixed Price Purchase Order Agreement

Issuance of this RFQ in no way obligates IDG to award a subcontract or purchase order and offerors will not be reimbursed for any costs associated with the preparation of their bid.

8.     Basis for Award

An award will be made based on the negotiated best value. The award will be issued to the responsible offeror based on the lowest evaluated price that meets or exceeds the acceptability requirements for technical/non-cost factors described in this RFQ and on full capability of the Offeror to meet or exceed the requirements listed in p. 11 of the RFQ.

9.     General Instructions to Offerors

Offerors shall submit quotations electronically at;

·       The RFQ number and the title of the activity must be stated in the subject line of the email.

·       Offerors shall confirm in writing that the Offeror fully understands that their quotation must be valid for a period of 60 days. 

·       Offerors shall sign and date the Price Schedule.

·       Offerors shall complete Attachment A: Price Schedule template. Prices should be VAT deducted, VAT deduction is applicable for any procurements made by the Financial Sector Transparency Activity, a technical assistance project funded by US Agency for International Development (USAID) and implemented by International Development Group, as per Moldovan Government Decision nr. 246 dated April 8, 2010. The documents for application of VAT deduction shall be provided to the winning offeror.

10.   Structure of the Quotations

The quotation shall include:

1.     Price Quotation (template below), that shall list explicitly the details of the offer.

2.     Offerors are required to submit a detailed cost proposal, which needs to include a table (in MS Excel) showing a breakdown of cost per deliverable outlined in the Specifications of the deliverable table and

3.     Statement on non-cost factor requirements (see point. 11 below)

11.   Scope of Work Requirements for Technical Acceptability

The Statement of Work is specified under Heading 3.

In addition to meeting the statement of work listed below, offerors are required to meet or exceed the significant non-cost factors listed below, demonstrated through documents or self-declarations as applicable:

1.     Offeror must have relevant prior experience working in the relevant subject matter and at least 1 employee must possess at least 2 relevant certificates from the list below:

- Offensive Security Certified Professional (OSCP)

- Offensive Security Web Expert (OSWE)

- Certified Ethical Hacker CEH (Master)

- Licensed Penetration Tester (LPT)

- Global Information Assurance Certification (GIAC) Certifications (e.g., GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), or GIAC Exploit Researcher and Advanced Penetration Tester (GXPN))

- CREST Penetration Testing Certifications

- Communication Electronic Security Group (CESG) IT Health Check Service (CHECK)

2.     Offeror must provide a statement of their ability and readiness to meet the proposed delivery timelines. This will include a work schedule (including level of effort, key personnel for each major task, and timeframe), and

3.     Offeror must document that they have relevant experienced staff and resources necessary for fulfilling the deliverables, given the time constrains.

3.    Statement of Work

The relevant URLs to be tested will be provided to the successful Bidder. The scope will include the unauthenticated functionality accessible from Internet and the functionality accessible for the authenticated users within the following profiles:

  • Customer profile (Login from the main web page),
  • Admin profile (Login from the main web page);

hereinafter referred to as the “Deliverable”:


Specifications of the deliverable:

Item No.

Item Name

Description /model



External application pen-testing

a.   Perform passive and active information gathering about the web application and the technologies on which they are running;

b.   Perform OWASP security tests on the identified applications (including the following tests: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Broken Access Control, Security Misconfiguration, Sensitive Data Exposure, Insufficient Attack Protection, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Underprotected APIs);

Test exploitability of identified security vulnerabilities and evaluate the impact on customer data company’s infrastructure;

Sections in the Penetration Testing Report;


External network pen-testing

a.      Scan and identify all open ports and active network services of the web application IP;

b.     Perform passive and active information gathering about the identified network services;

c.      Perform network vulnerability scanning with OpenVAS;

d.     Perform security tests specific to the identified network services;

Test exploitability of identified security vulnerabilities and evaluate the impact on customer data company’s infrastructure;

Sections in the Penetration Testing Report;


Documentation of results

a.      Document the Penetration Testing Report. The report will include at least the following sections:

·       Executive summary with narrative for Management about the main findings and conclusions;

·       Description of identified vulnerabilities and recommendations for their mitigation;

Relevant scan results and OWASP controls test results;

Penetration Testing Report;


Period of performance: Penentration Testing of the GS Retail Platform Investor Application

must be completed by 30 June, 2024, the latest. Draft Report must ready for final review by 20 June, 2024, the latest. Additionally, the offeror must remain available throughout the period of implementing security upgrades to address the identified system weaknesses, for collaborating with the IT company implementing the Retail Platform system on properly addressing the issues.



  • IDG will select the offer, based on the negotiated lowest price technically acceptable source selection. The offeror must specify its delivery terms and state clearly how the commitment will be met.
  • In case of abandonment/cancellation of the RFQ, for various reasons, the Contractor does not bear any material/financial responsibility.
  • IDG requires the offers in USD, VAT deducted.
  • Delivery location: digitally to FSTA in Chisinau, Moldova.

Price Quotation Template




Item No.

Item Name

Description (please provide details of the technical approach)


Unit Price, USD (VAT deducted)

Total Price, USD (VAT deducted)
















Total Amount in USD, VAT Deducted

Period of performance: specify the proposed delivery date, with a clear statement of how the delivery date is ensured.

We, the undersigned, provide the attached quotation in accordance RFQ # _______ dated _________Our attached quotation is for the total price of _____________________ (figure and in words). A detailed broken-down cost proposal per deliverable in MS Excel is enclosed to this price quotation.

I certify a validity period of 60 days for the prices provided in the attached Price Schedule/Bill of Quantities. Our quotation shall be binding upon us subject to the modifications resulting from any discussions.


We understand that IDG is not bound to accept any quotation it receives.

Authorized Signature:

Name and Title of Signatory:

Name of Firm:




Fiscal number:

Company Seal/Stamp: