Penetration Tester — Web App + Supabase Backend (SaaS Recruiting Platform)

Remote Full-time
Penetration Tester — Web App + Supabase Backend (SaaS Recruiting Platform)

Client: ThunderJaws Human Resources Solutions

Project: Hire.ThunderJaws.com (production SaaS)

Engagement: Fixed-price, ~3 weeks active testing + 30-day retest window

Budget range: TBD

________________________________________

About the project

ThunderJaws is a live recruiting marketplace (job seekers, employers, admin) with:

•React + Vite frontend

• Supabase backend (Postgres + RLS, Auth, ~40+ Edge Functions, Storage)

• Stripe billing (Pro tier $199/mo, employer resume unlocks)

• WebAuthn passkeys + TOTP MFA

• Resend transactional email

• Public job-feed endpoint with per-partner UTM tracking

We need a qualified, independent penetration tester to validate the platform end-to-end before scaling paid employer features.

________________________________________

What we're looking for (Step 1 — Initial Review)

Apply with a short proposal (1 page max) covering:

1. Your background — years pen-testing, certifications (OSCP / OSWE / GWAPT / CREST / Burp Suite Certified, etc.), and confirmation you are an independent firm or individual (not reselling automated scanners).

2. Relevant experience — at least one prior engagement on a multi-tenant SaaS with Supabase, Postgres RLS, or similar row-level authorization model.

3. One redacted prior pen-test report (PDF) demonstrating manual testing depth — not a Nessus/Burp scan dump.

4. Liability insurance — confirmation of ≥ $1M professional liability coverage.

5. Approach to third-party validation — how you will independently verify that employer-paid resumes are actually delivered to and processed by third parties (ATS webhooks, email deliverability with DMARC/DKIM/SPF, job-board apply receipts, or customer attestation). Google crawlers, Lighthouse, and generic SaaS scanners do NOT qualify — this is a hard requirement.

________________________________________

What we are NOT looking for

• Automated-scanner-only deliverables

• Agencies subcontracting to unvetted offshore testers

• Anyone unfamiliar with Supabase RLS, Edge Functions, or JWT-based auth

• "Pass/fail" checklists without proof of exploitation or remediation guidance

________________________________________

Next step

Selected candidates will receive the full Scope of Work (Step 2) under NDA, including:

• Detailed in-scope / out-of-scope asset list

• Acceptance criteria (including the third-party resume validation chain)

• Deliverables, milestone payment schedule, and retest terms

• Source-code access on request

• Test accounts (job seeker, employer, admin)

________________________________________

To apply: Send the 6 items above. Shortlisted candidates will be contacted within 5 business days to receive the full SOW.

Independent firms preferred. Recommended profiles: NCC Group, Bishop Fox, Cure53, Trail of Bits caliber — or equivalent independent practitioners.

Apply tot his job

Apply To this Job
Apply Now →

Similar Jobs

Experienced Registered Behavior Technician for In-Home ABA Therapy - Atlanta, GA

Remote

Immediate Hiring: Experienced Registered Behavioral Technician (RBT) for Clinic-Based ABA Therapy Services

Remote

Experienced Registered Behavioral Technician (RBT) - ABA Therapy for Children with Autism Spectrum Disorder

Remote

Experienced Registered Nurse - Telehealth: Providing Remote Care Coordination and Patient Support

Remote

Experienced Substitute Teacher for Riverside County Schools - Join Scoot Education's Innovative Team

Remote

Experienced Substitute Teacher for San Bernardino County - Flexible Schedules & Competitive Pay

Remote

Experienced School Year Instructional Coach for High-Dosage Tutoring Programs in Edgewater Park, NJ

Remote

Experienced School Year Tutor for K-8 Students in Math and Literacy - Mickleton, NJ

Remote

Experienced Secondary Social Studies Teacher for Kansas - Flexible Hybrid Remote Arrangement

Remote

USPS Office Helper

Remote

Lead GCP data Engineer

Remote

Spotify careers remote

Remote

Work-from-Home Virtual Assistant Jobs for College Students

Remote

Experienced Remote Data Entry Specialist – Accurate Data Management and Entry Expert for a Dynamic Team in the Philippines

Remote

Senior Manager, Market Management AMER, Experiences

Remote

Experienced Customer Support Supervisor - German Market at careerzynith

Remote

Engineer, Network Security - Sr

Remote

[Remote/WFM] Real Estate Senior Accountant Mooresville, NC (SSC)

Remote

Experienced Full Stack Data Engineer – Cloud-Based Data Pipeline Development and Support

Remote

Experienced Full Stack Data Entry Specialist – Web & Cloud Application Development at careerzynith

Remote
← Back