Tender Description:

Hashbank is seeking proposals from qualified vendors for Penetration Testing.

The purpose of this document is to inform the bidders about the purchaser's requirements and conditions for the submission of a complete tender proposal.

Tender Process Timeline:

• Tender Announcement: Octomber 21, 2025 
• Submission Deadline for Proposals: October 29, 2025

The purchaser reserves the right to suspend, terminate, and/or announce a new tender at any stage of the process, at its sole discretion and without prior notice or agreement with the bidder(s). 

Information regarding the suspension or termination of the tender will be made available on the tender announcement portal.

The purchaser also reserves the right to amend or expand the scope of services/procurement requirements prior to signing the contract with the selected bidder. Any such changes will be published on the tender announcement portal.

Scope of Work

External Perimeter, Web Applications (External Black/Grey Box)

• Websites: Static website: hashbank.ge and dynamic web application: business.hashbank.ge
• External Network Infrastructure: research and Identify Bank’s Public IP Addresses(7 addresses ) and Perform Pentest
• Testing Type: Grey Box (authentication credentials will be provided to the tester).

API Services:

• Approximately 300 APIs with small, specific functionalities related to 30 services.

Internal Network Infrastructure (Internal Grey Box)

• Internal Network: 300 endpoints, including domain controllers, file servers, databases, WIFI, and banking services.
• Objective: Identify vulnerabilities within the internal network and test for privilege escalation opportunities, test for Lateral Movement.
• Testing Type: Grey Box (the tester will be given standard user access to the network).

Mobile Applications (iOS & Android)

• Applications: Hash Bank's mobile application for iOS and Android platforms.
• Scope: Analysis of the client-side application, including decompilation of the application to identify potential vulnerabilities, security testing of communication with the server (API), and data storage security
• Testing Type: Grey Box . authentication credentials will not provided from bank , instead full onboarding process should be tested(except for third party integrations)

Requirements for the Bidder

• The bidder must have a minimum of 3 years of experience in the field of penetration testing.
• Proven experience in conducting penetration testing for a financial institution (preferably a bank) is mandatory.

Team Qualifications

• Members of the audit team must hold at least one of the following international certifications: OSCP, OSCE, OSEP, eCPPTv2, eWPTXv2, GPEN or an equivalent.
• Changing team members pre-approved by the bank during the project is not permitted.

Content of the Tender Proposal The bidder must submit the following documentation:

• Company Profile: General information about the company, its experience, and specialization.
• Technical Proposal:
  - The proposed testing methodology and approach for each lot (e.g., PTES, OWASP Top 10, NIST SP 800-115).
  - A detailed work plan and timeline.
  - The composition of the project team, their roles, responsibilities, and CVs
  - Copies of the team members' relevant certifications.
• Commercial Proposal:
  • Cost of services.
• Documentation Proving Experience:
  • A minimum of 3 letters of recommendation and/or acts of acceptance from similar projects completed within the last 2 years (preferably from the financial sector).

Reporting

• The final report must comply with the requirements of the National Bank of Georgia.
• The report must detail the discovered vulnerabilities, their criticality level (e.g., according to the CVSS 3.1 standard), and the steps for their exploitation (Proof of Concept).
• Detailed technical recommendations for the remediation of each vulnerability must be provided.
• The report must be submitted in Georgian or English.
• The report must include both a technical section and a non-technical Executive Summary for management.

Project Timelines.

• Final Report Submission: No later than December 15, 2025.

Evaluation Criteria The submitted proposals will be evaluated based on the following criteria:

• Qualification and Experience (40%): The experience of the company and the team, especially in the financial sector.
• Technical Approach and Methodology (30%): How completely and qualitatively the work plan is described.
• Proposed Price and Terms (30%): The competitiveness of the service cost and payment terms.

Legal and Confidentiality Conditions

• The bidder is responsible for the confidentiality of the information received. A Non-Disclosure Agreement (NDA) will be signed with companies that advance to the next stage of selection before detailed technical information is provided.
• Prior to the start of testing, the Rules of Engagement will be agreed upon and signed with the winning company.

Supplier Requirements and List of Documents to be Submitted

• Annex #1 – Company Details (Requisites); 
• At least two (2) recommendation letters related to the requested type of service; 
• The bidder must submit a detailed financial offer in accordance with the technical specifications, in PDF format signed by an authorized person, as well as in Excel format. The tender offer must include all costs related to the provision of services, including applicable taxes and other charges incumbent upon the bidder; 
• An updated extract from the Register of Entrepreneurs and Non-Entrepreneurial (Non-Commercial) Legal Entities; 
• By submitting a tender proposal, the bidder confirms that: (a) they have reviewed the sample Service Agreement provided as Annex #2, which will be signed with the winning bidder. The contract is a template and will be individually adjusted with the selected supplier; and (b) they are aware that during the contract period, they are not entitled to increase the contractual prices or otherwise worsen the buyer’s position.

6. Grounds for Disqualification

The purchaser is authorized to disqualify a bidder if:

• The bidder is listed in the register of debtors;
• The bidder’s property is subject to a registered tax lien, mortgage, or other encumbrance/restriction;
  
• The bidder is undergoing reorganization, liquidation, or insolvency proceedings;
  
• The documentation/information required by the tender application is:
  - Not fully submitted;
  - Not in compliance with the specified requirements;
  - Inaccurate or inconsistent with actual facts;
  - Falsified.
  
• There are other objective circumstances that make the bidder's further participation in the tender impossible. 

Confidentiality

The bidder shall be responsible for maintaining the confidentiality of any information provided by the purchaser, both during the selection process and after its completion, regardless of the outcome of the tender.

7. Submission Process
The submission of tender proposals shall be carried out electronically through www.tenders.ge, in accordance with the sealed envelope principleTender proposals must be submitted by no later than 18:00 (Georgian local time) on October 29, 2025.

Tender Submission Terms:

• Offers should be submitted on procurement web-page: www.tenders.ge
• Submission Deadline is: 29/10/2025 ; 18:00 PM 
• Bid currency: N.A
• Auction type: Without auction
• Instructions to Apply for E-Tender can be found in the attached file
• Any question during the electronic tender process shall be made in writing and communicated through the Q&A platform of www.tenders.ge website

8. Additional Information

For any questions or clarifications, vendors may contact Diana Kadaria at [diana.kadaria@hashbank.ge] Tel: +995 551 67 74 67, [Irakli Dalakishvili] at [irakli.dalakishvili@hashbank.ge] Tel: +995 557 71 33 52; by October 29, 2025.

ტენდერის კატეგორია:

• 72200000 პროგრამული უზრუნველყოფის შემუშავება და საკონსულტაციო მომსახურებები