Lead Security Researcher (Mobile & Web Ecosystem Audit)

• Status: Pending
• Prize: $60
• Entries Received: 24

Contest Brief

https://evpkr.com


We are a new SaaS startup looking for a rigorous security specialist to perform a **comprehensive end-to-end security audit**. Our mobile app (iOS & Android) is our core product and requires deep-dive scrutiny, while our landing pages and staff admin panel need a focused vulnerability assessment to ensure total ecosystem integrity.

### **The Scope of Work**

We need more than a generic automated scan; we require a blend of manual penetration testing and structured configuration review.

* **Mobile App (Deep Dive):** Comprehensive testing based on the **OWASP Mobile Application Security (MAS)** framework. This includes binary analysis, session management, local data storage security, and API communication.
* **Web & Admin Panel:** Vulnerability assessment of the staff-facing dashboard and landing pages (OWASP Top 10 focus).
* **Infrastructure & Logic:** Testing authentication flows, privilege escalation scenarios, and infrastructure misconfigurations.

### **Technical Requirements**

* **Methodology:** Expert-level use of **Burp Suite Professional**, static/dynamic analysis (SAST/DAST), and manual code inspection.
* **Standards:** Adherence to the **OWASP MSTG** (Mobile Security Testing Guide).
* **Experience:** Proven track record in hardening cross-platform applications and securing cloud-native SaaS environments.

### **Deliverables**

1. **Executive Summary:** A high-level risk profile for leadership.
2. **Detailed Technical Report:** Clear reproduction steps (POCs), CVSS risk scores, and specific remediation guidance.
3. **ClickUp Integration:** Every finding must be logged as a discrete, actionable task in our ClickUp workspace for our developers.
4. **Debrief Session:** A recorded walkthrough to ensure the engineering team is aligned on the fixes.

### **How to Apply (The "Contest" Phase)**

To ensure we find the right fit, we are starting with a brief **Initial Assessment Phase**. Please include in your proposal:

* A redacted sample of a previous mobile security report you've authored.
* A brief (3-5 sentence) description of how you would approach testing a cross-platform app's local storage security.
* Your availability to complete this audit within the next two weeks.

ALSO:

Perform a "reconnaissance" on my web presence and tell me what you see from the outside. The one who identifies the most interesting (or subtle) entry point is my winner. This proves your skill without asking for days of free labor.

To ensure you're hiring a shark and not just someone who knows how to click "Run" on a scanner, I want to test your **methodology** and **intuition**.

*External Reconnaissance & Scoping*

*Objective:* Before we move to the full-scope audit, I’d like to see your "attacker's mindset" in action. Your goal is to map our external footprint and identify potential points of failure without performing invasive exploitation.

*The Challenge*

Please spend no more than **three hours** investigating our public-facing infrastructure (Landing Page & Admin Login) and provide a brief **Discovery Memo** covering the following:

1. *Attack Surface Mapping:* Identify the technologies, frameworks, and third-party integrations we are using. Are there any known CVEs or version-specific weaknesses visible from the outside?
2. *Logic & Entry Points:* Based on the landing page and mobile app store descriptions, identify the *three most critical business logic risks** you would prioritize during a full audit (e.g., "Account Takeover via password reset," "IDOR on the Admin Panel," etc.).
3. *Information Leakage:* Check for misconfigured headers, sensitive data in JS files, or exposed subdomains/directories that shouldn't be public.
4. *The "One Big Thing":* If you were an attacker with limited time, where is the first place you would "dig" and why?

*Ground Rules*

* Passive/Low-Intensity Only:** No DDoS, no aggressive brute-forcing, and no actual data exfiltration.
* Stay Out of the Core:** Do not attempt to breach the mobile backend or disrupt service.
* Format:** A simple bulleted Markdown file or a 2-page PDF is perfect. We value clarity over volume.

Recommended Skills

• Android
• Cloud Security
• Data Protection
• Mobile App Development
• Penetration Testing
• Risk Assessment
• Security
• Testing / QA
• Web Application Audit
• Web Security