Penetration Tester for Bike Index (bikeindex.org)
About Bike Index
Bike Index is the world's largest open-source bicycle registration platform. We help cyclists register their bikes and recover them when stolen — we've helped recover tens of thousands of bikes and are trusted by police departments, bike shops, and cycling communities globally. Our platform handles sensitive user data, stolen bike reports, and integrates with law enforcement systems, so security is critical to our mission.
What We're Looking For
We're seeking an experienced penetration tester / ethical hacker to conduct a thorough security assessment of bikeindex.org. This is a scoped engagement — we want to find vulnerabilities before bad actors do.
Scope of Work
Web application penetration test of bikeindex.org (Rails-based app)
API security testing (REST endpoints, authentication flows)
Authentication & session management review (OAuth, user accounts)
OWASP Top 10 vulnerability assessment
Business logic flaws (e.g., unauthorized bike record manipulation, impersonation)
Sensitive data exposure checks (PII, stolen bike reports, law enforcement data)
Optional / stretch: infrastructure/cloud config review if access is scoped
Deliverables
Findings report with severity ratings (Critical / High / Medium / Low / Info)
Proof-of-concept documentation for each confirmed vulnerability
Remediation recommendations written for a development team
Executive summary suitable for non-technical stakeholders
Retesting of critical findings after fixes (one round)
Requirements
Demonstrated experience with web app pentesting (please include sample reports or portfolio, redacted is fine)
Familiarity with Ruby on Rails applications preferred
Proficiency with tools such as Burp Suite, OWASP ZAP, SQLMap, Nmap, Metasploit, etc.
Relevant certifications a plus: OSCP, CEH, GWAPT, eWPT, or similar
Clear written English for report deliverables
Must sign a Rules of Engagement / NDA prior to start
Must agree to responsible disclosure practices — no data exfiltration, no DoS
Nice to Have
Experience testing open-source or nonprofit platforms
Familiarity with public API security testing
Prior work with law enforcement-adjacent or civic-tech applications
Engagement Details
Type: Fixed-price project (~10 hours of work)
Timeline: Report delivered within 1 week of kickoff
Access: Black-box or grey-box (we can discuss scope)
Testing environment: We can provide a staging environment for destructive tests
How to Apply
Please include:
A brief overview of your approach to web app pentesting
1–2 examples of past work (redacted reports, writeups, CVEs, or bug bounty disclosures)
Your proposed timeline and fixed-price quote
Any clarifying questions about scope
We're a small nonprofit team that moves fast and communicates openly.
Apply Now
Apply Now