Penetration Tester for Bike Index (bikeindex.org) About Bike Index Bike Index is the world's largest open-source bicycle registration platform. We help cyclists register their bikes and recover them when stolen — we've helped recover tens of thousands of bikes and are trusted by police departments, bike shops, and cycling communities globally. Our platform handles sensitive user data, stolen bike reports, and integrates with law enforcement systems, so security is critical to our mission. What We're Looking For We're seeking an experienced penetration tester / ethical hacker to conduct a thorough security assessment of bikeindex.org. This is a scoped engagement — we want to find vulnerabilities before bad actors do. Scope of Work Web application penetration test of bikeindex.org (Rails-based app) API security testing (REST endpoints, authentication flows) Authentication & session management review (OAuth, user accounts) OWASP Top 10 vulnerability assessment Business logic flaws (e.g., unauthorized bike record manipulation, impersonation) Sensitive data exposure checks (PII, stolen bike reports, law enforcement data) Optional / stretch: infrastructure/cloud config review if access is scoped Deliverables Findings report with severity ratings (Critical / High / Medium / Low / Info) Proof-of-concept documentation for each confirmed vulnerability Remediation recommendations written for a development team Executive summary suitable for non-technical stakeholders Retesting of critical findings after fixes (one round) Requirements Demonstrated experience with web app pentesting (please include sample reports or portfolio, redacted is fine) Familiarity with Ruby on Rails applications preferred Proficiency with tools such as Burp Suite, OWASP ZAP, SQLMap, Nmap, Metasploit, etc. Relevant certifications a plus: OSCP, CEH, GWAPT, eWPT, or similar Clear written English for report deliverables Must sign a Rules of Engagement / NDA prior to start Must agree to responsible disclosure practices — no data exfiltration, no DoS Nice to Have Experience testing open-source or nonprofit platforms Familiarity with public API security testing Prior work with law enforcement-adjacent or civic-tech applications Engagement Details Type: Fixed-price project (~10 hours of work) Timeline: Report delivered within 1 week of kickoff Access: Black-box or grey-box (we can discuss scope) Testing environment: We can provide a staging environment for destructive tests How to Apply Please include: A brief overview of your approach to web app pentesting 1–2 examples of past work (redacted reports, writeups, CVEs, or bug bounty disclosures) Your proposed timeline and fixed-price quote Any clarifying questions about scope We're a small nonprofit team that moves fast and communicates openly. Apply tot his job