RFP -- Security Researcher

About The Position

Requirements

• At least three-plus years experience designing or attacking secure systems (threat modeling, penetration testing, security assessments, protocol design, etc.).
• Production coding experience using at least two of the following: Python, Typescript, or Rust.
• Strong working knowledge of Linux systems security (kernel hardening, AppArmor, SELinux, etc.).
• Experience identifying and reasoning about browser/web vulnerabilities (XSS) and Electron-specific issues (file handling, IPC, etc.).
• Comfort working with open source projects in a collaborative, distributed team environment.

Nice To Haves

• One-plus year of professional experience with Qubes OS, Tails, or other high-security desktop environments.
• One-plus year of professional incident response experience.
• Using or developing security monitoring tools (e.g., intrusion detection systems, file integrity monitoring).
• Familiarity with Tor, onion services, OpenPGP, and other privacy-enhancing technologies.

Responsibilities

• Conduct application security reviews across SecureDrop components.
• Assist in performing threat modeling for new features and architectural changes.
• Review pull requests and design documents with a focus on the security properties of new features and the security implications of architectural changes.
• Assist in preparing materials for and reviewing findings from third-party security audits.
• Advise on hardening strategies for SecureDrop’s deployment environments.
• Review and integrate security automation tooling, such as LLMs, static code analyzers, and other tools that can mitigate or discover security vulnerabilities.

Benefits

• Contractor will be paid at a rate of USD $80 per hour.
• Up to 30 hours per week.
• Invoiced on a monthly basis.
• Initial duration of six months, with the possibility of renewal.