HiringCafe
Posted 1d ago

RFP -- Security Researcher

@ Freedom of the Press Foundation
View All Jobs
United States
$80/hrRemoteContract, Part Time
Responsibilities:review security, assess architecture, support audits
Requirements Summary:Contract security researcher for SecureDrop; remote; up to 30 hrs/week; six-month engagement; USD 80/hr.
Technical Tools Mentioned:Python, Typescript, Rust, Linux, AppArmor, SELinux, Qubes OS, Tails, Tor, OpenPGP
Save
Mark Applied
Hide Job
Report & Hide
Job Description

Scope of work

In coordination with FPF’s other engineers and researchers, the contractor will:

  • Conduct application security reviews across SecureDrop components.

  • Assist in performing threat modeling for new features and architectural changes.

  • Review pull requests and design documents with a focus on the security properties of new features and the security implications of architectural changes.

  • Assist in preparing materials for and reviewing findings from third-party security audits.

  • Advise on hardening strategies for SecureDrop’s deployment environments.

  • Review and integrate security automation tooling, such as LLMs, static code analyzers, and other tools that can mitigate or discover security vulnerabilities.

Desired qualifications

  • At least three-plus years experience designing or attacking secure systems (threat modeling, penetration testing, security assessments, protocol design, etc.).

  • Production coding experience using at least two of the following: Python, Typescript, or Rust.

  • Strong working knowledge of Linux systems security (kernel hardening, AppArmor, SELinux, etc.).

  • Experience identifying and reasoning about browser/web vulnerabilities (XSS) and Electron-specific issues (file handling, IPC, etc.).

  • Comfort working with open source projects in a collaborative, distributed team environment.

Preferred skills

  • One-plus year of professional experience with Qubes OS, Tails, or other high-security desktop environments.

  • One-plus year of professional incident response experience.

  • Using or developing security monitoring tools (e.g., intrusion detection systems, file integrity monitoring).

  • Familiarity with Tor, onion services, OpenPGP, and other privacy-enhancing technologies.

Terms of contract

This is a part-time, hourly contract — the contractor will be paid at a rate of USD $80 per hour, up to 30 hours per week, invoiced on a monthly basis. The contractor will be solely responsible for paying any and all taxes incurred as a result of their compensation.

The contract will commence on a mutually agreeable date no later than Aug. 1 for an initial duration of six months, with the possibility of renewal.

Proposal requirements

If you would like to be considered for this opportunity, please submit the following:

  • A brief statement of interest (one-page maximum), which includes your availability (hours per week in U.S. Eastern time and any known constraints). Please do so by including that text in the space labeled “Cover Letter.”

    • Please be sure to include relevant experience or examples of prior work (links to GitHub, write-ups, audits, etc.).

  • A CV/résumé.