RFP -- Security Researcher Part-time

Freedom of the Press Foundation (FPF) seeks a fully remote contract security researcher to support the SecureDrop team over a six-month engagement (max. 30 hours/week), with possibility for renewal.

Scope of work

In coordination with FPF’s other engineers and researchers, the contractor will:

• Conduct application security reviews across SecureDrop components.
• Assist in performing threat modeling for new features and architectural changes.
• Review pull requests and design documents with a focus on the security properties of new features and the security implications of architectural changes.
• Assist in preparing materials for and reviewing findings from third-party security audits.
• Advise on hardening strategies for SecureDrop’s deployment environments.
• Review and integrate security automation tooling, such as LLMs, static code analyzers, and other tools that can mitigate or discover security vulnerabilities.

Desired qualifications

• At least three-plus years experience designing or attacking secure systems (threat modeling, penetration testing, security assessments, protocol design, etc.).
• Production coding experience using at least two of the following: Python, Typescript, or Rust.
• Strong working knowledge of Linux systems security (kernel hardening, AppArmor, SELinux, etc.).
• Experience identifying and reasoning about browser/web vulnerabilities (XSS) and Electron-specific issues (file handling, IPC, etc.).
• Comfort working with open source projects in a collaborative, distributed team environment.

Preferred skills

• One-plus year of professional experience with Qubes OS, Tails, or other high-security desktop environments.
• One-plus year of professional incident response experience.
• Using or developing security monitoring tools (e.g., intrusion detection systems, file integrity monitoring).
• Familiarity with Tor, onion services, OpenPGP, and other privacy-enhancing technologies.

Terms of contract

This is a part-time, hourly contract — the contractor will be paid at a rate of USD $80 per hour, up to 30 hours per week, invoiced on a monthly basis. The contractor will be solely responsible for paying any and all taxes incurred as a result of their compensation.

The contract will commence on a mutually agreeable date no later than Aug. 1 for an initial duration of six months, with the possibility of renewal.

Proposal requirements

If you would like to be considered for this opportunity, please submit the following:

• A brief statement of interest (one-page maximum), which includes your availability (hours per week in U.S. Eastern time and any known constraints). Please do so by including that text in the space labeled “Cover Letter.”
  • Please be sure to include relevant experience or examples of prior work (links to GitHub, write-ups, audits, etc.).
• A CV/résumé.