RFP -- Security Researcher

<h2><span>Scope of work</span></h2><p><span>In coordination with FPF’s other engineers and researchers, the contractor will:</span></p><ul><li><p><span>Conduct application security reviews across SecureDrop components.</span></p></li><li><p><span>Assist in performing threat modeling for new features and architectural changes.</span></p></li><li><p><span>Review pull requests and design documents with a focus on the security properties of new features and the security implications of architectural changes.</span></p></li><li><p><span>Assist in preparing materials for and reviewing findings from third-party security audits.</span></p></li><li><p><span>Advise on hardening strategies for SecureDrop’s deployment environments.</span></p></li><li><p><span>Review and integrate security automation tooling, such as LLMs, static code analyzers, and other tools that can mitigate or discover security vulnerabilities.</span></p></li></ul><h2><span>Desired qualifications</span></h2><ul><li><p><span>At least three-plus years experience designing or attacking secure systems (threat modeling, penetration testing, security assessments, protocol design, etc.).</span></p></li><li><p><span>Production coding experience using at least two of the following: Python, Typescript, or Rust.</span></p></li><li><p><span>Strong working knowledge of Linux systems security (kernel hardening, AppArmor, SELinux, etc.).</span></p></li><li><p><span>Experience identifying and reasoning about browser/web vulnerabilities (XSS) and Electron-specific issues (file handling, IPC, etc.).</span></p></li><li><p><span>Comfort working with open source projects in a collaborative, distributed team environment.</span></p></li></ul><h2><span>Preferred skills</span></h2><ul><li><p><span>One-plus year of professional experience with Qubes OS, Tails, or other high-security desktop environments.</span></p></li><li><p><span>One-plus year of professional incident response experience.</span></p></li><li><p><span>Using or developing security monitoring tools (e.g., intrusion detection systems, file integrity monitoring).</span></p></li><li><p><span>Familiarity with Tor, onion services, OpenPGP, and other privacy-enhancing technologies.</span></p></li></ul><h2><span>Terms of contract</span></h2><p><span>This is a part-time, hourly contract — the contractor will be paid at a rate of USD $80 per hour, up to 30 hours per week, invoiced on a monthly basis. The contractor will be solely responsible for paying any and all taxes incurred as a result of their compensation.</span></p><p><span>The contract will commence on a mutually agreeable date no later than Aug. 1 for an initial duration of six months, with the possibility of renewal.</span></p><h2><span>Proposal requirements</span></h2><p><span>If you would like to be considered for this opportunity, please submit the following:</span></p><ul><li><p><span>A brief statement of interest (one-page maximum), which includes your availability (hours per week in U.S. Eastern time and any known constraints). Please do so by including that text in the space labeled “Cover Letter.”</span></p><ul><li><p><span>Please be sure to include relevant experience or examples of prior work (links to GitHub, write-ups, audits, etc.).</span></p></li></ul></li><li><p><span>A CV/résumé.</span></p></li></ul>