We are looking for an experienced penetration tester to conduct a security assessment of two production systems used in clinical research:
Target 1 — Mobile health tracking app (iOS & Android)
Cross-platform mobile application (Flutter) with a Laravel/PHP backend and PostgreSQL database
Includes REST API communication between app and server
Hosted on a European VPS (Germany) behind Cloudflare
Target 2 — Customized LimeSurvey instance
Self-hosted LimeSurvey deployment used for clinical research questionnaires
Hosted on a separate European VPS behind Cloudflare
Context
Both systems handle sensitive health data. The penetration test report will be used for compliance and audit documentation.
Scope
At minimum, testing must cover:
OWASP Top 10 (web) and OWASP Mobile Top 10
API security (authentication, authorization, input validation, rate limiting)
Data storage and transmission security (encryption at rest and in transit)
Session management and authentication flows
Server configuration and hardening review
LimeSurvey-specific vulnerabilities (known CVEs, plugin security, access controls)
Deliverables & milestones
Milestone 1 — Initial penetration test & report
Full security assessment of both targets
Technical report including: findings, severity classification (CVSS), proof of concept, and recommended remediation steps
Debrief call to walk through findings
Milestone 2 — Retest after remediation
Verification test after our development team has implemented fixes
Updated report confirming resolved issues and any remaining risks
Milestone 3 — Final report & certificate
Formal penetration test certificate / letter of attestation stating both systems have been tested and passed
Final report suitable for inclusion in compliance/audit documentation
Requirements
Must have:
Recognized penetration testing certification (OSCP, CREST CRT/CCT, or CEH)
Demonstrated experience with mobile app penetration testing (iOS and Android)
Demonstrated experience with web application penetration testing
Familiarity with OWASP testing methodologies
Ability to produce professional, audit-ready reports in English
Willingness to sign an NDA before receiving any access credentials or technical documentation
Nice to have:
Experience with Flutter/Dart mobile applications
Experience with LimeSurvey or similar PHP-based survey platforms
Experience with Laravel/PHP backends
Timeline
Ready to start immediately (both systems are in their final, production-ready state)
Expected duration: 2–3 weeks for initial test, then retest after our remediation window
How to apply
Please include in your proposal:
Your relevant penetration testing certification(s)
2–3 examples of previous pentest engagements (anonymized is fine)
Your approach / methodology for this type of engagement
Estimated timeline and fixed-price quote per milestone
Confirmation you are willing to sign an NDA before project start
Apply tot his job
Apply To this Job