Penetration Testing for Bike Index NFP SaaS Product

Penetration Tester for Bike Index (bikeindex.org)

About Bike Index

Bike Index is the world's largest open-source bicycle registration platform. We help cyclists register their bikes and recover them when stolen — we've helped recover tens of thousands of bikes and are trusted by police departments, bike shops, and cycling communities globally. Our platform handles sensitive user data, stolen bike reports, and integrates with law enforcement systems, so security is critical to our mission.

What We're Looking For

We're seeking an experienced penetration tester / ethical hacker to conduct a thorough security assessment of bikeindex.org. This is a scoped engagement — we want to find vulnerabilities before bad actors do.

Scope of Work

Web application penetration test of bikeindex.org (Rails-based app)

API security testing (REST endpoints, authentication flows)

Authentication & session management review (OAuth, user accounts)

OWASP Top 10 vulnerability assessment

Business logic flaws (e.g., unauthorized bike record manipulation, impersonation)

Sensitive data exposure checks (PII, stolen bike reports, law enforcement data)

Optional / stretch: infrastructure/cloud config review if access is scoped

Deliverables

Findings report with severity ratings (Critical / High / Medium / Low / Info)

Proof-of-concept documentation for each confirmed vulnerability

Remediation recommendations written for a development team

Executive summary suitable for non-technical stakeholders

Retesting of critical findings after fixes (one round)

Requirements

Demonstrated experience with web app pentesting (please include sample reports or portfolio, redacted is fine)

Familiarity with Ruby on Rails applications preferred

Proficiency with tools such as Burp Suite, OWASP ZAP, SQLMap, Nmap, Metasploit, etc.

Relevant certifications a plus: OSCP, CEH, GWAPT, eWPT, or similar

Clear written English for report deliverables

Must sign a Rules of Engagement / NDA prior to start

Must agree to responsible disclosure practices — no data exfiltration, no DoS

Nice to Have

Experience testing open-source or nonprofit platforms

Familiarity with public API security testing

Prior work with law enforcement-adjacent or civic-tech applications

Engagement Details

Type: Fixed-price project (~10 hours of work)

Timeline: Report delivered within 1 week of kickoff

Access: Black-box or grey-box (we can discuss scope)

Testing environment: We can provide a staging environment for destructive tests

How to Apply

Please include:

A brief overview of your approach to web app pentesting

1–2 examples of past work (redacted reports, writeups, CVEs, or bug bounty disclosures)

Your proposed timeline and fixed-price quote

Any clarifying questions about scope

We're a small nonprofit team that moves fast and communicates openly.

Apply Now

Apply Now