RFP -- Security Researcher

Scope of work

In coordination with FPF’s other engineers and researchers, the contractor will:

• Conduct application security reviews across SecureDrop components.

• Assist in performing threat modeling for new features and architectural changes.

• Review pull requests and design documents with a focus on the security properties of new features and the security implications of architectural changes.

• Assist in preparing materials for and reviewing findings from third-party security audits.

• Advise on hardening strategies for SecureDrop’s deployment environments.

• Review and integrate security automation tooling, such as LLMs, static code analyzers, and other tools that can mitigate or discover security vulnerabilities.

Desired qualifications

• At least three-plus years experience designing or attacking secure systems (threat modeling, penetration testing, security assessments, protocol design, etc.).

• Production coding experience using at least two of the following: Python, Typescript, or Rust.

• Strong working knowledge of Linux systems security (kernel hardening, AppArmor, SELinux, etc.).

• Experience identifying and reasoning about browser/web vulnerabilities (XSS) and Electron-specific issues (file handling, IPC, etc.).

• Comfort working with open source projects in a collaborative, distributed team environment.

Preferred skills

• One-plus year of professional experience with Qubes OS, Tails, or other high-security desktop environments.

• One-plus year of professional incident response experience.

• Using or developing security monitoring tools (e.g., intrusion detection systems, file integrity monitoring).

• Familiarity with Tor, onion services, OpenPGP, and other privacy-enhancing technologies.

Terms of contract

This is a part-time, hourly contract — the contractor will be paid at a rate of USD $80 per hour, up to 30 hours per week, invoiced on a monthly basis. The contractor will be solely responsible for paying any and all taxes incurred as a result of their compensation.

The contract will commence on a mutually agreeable date no later than Aug. 1 for an initial duration of six months, with the possibility of renewal.

Proposal requirements

If you would like to be considered for this opportunity, please submit the following:

• A brief statement of interest (one-page maximum), which includes your availability (hours per week in U.S. Eastern time and any known constraints). Please do so by including that text in the space labeled “Cover Letter.”

  • Please be sure to include relevant experience or examples of prior work (links to GitHub, write-ups, audits, etc.).

• A CV/résumé.