Comprehensive Security, Vulnerability, and Compliance Testing Engagement

Posted yesterday

Worldwide

Summary

UPWORK JOB POSTING Comprehensive Security, Vulnerability, and Compliance Testing Engagement Mobile Application • Website • Financial Infrastructure • Chain of Custody Architecture ISO 42001 • NIST AI RMF • NIST SP 800 series • OWASP • Federal Digital Evidence Standards Fixed Price — 9,200 USD • Four Milestones • Milestone Certifications Required --- READ THIS FIRST — DO NOT APPLY IF YOU CANNOT SATISFY ALL REQUIREMENTS This engagement requires a REGISTERED BUSINESS ENTITY — not an individual freelancer — that has previously produced security certifications, compliance certifications, and forensic integrity reports that have been accepted in professional, legal, or regulatory contexts. VENDORS WHO DO NOT MEET ALL OF THE FOLLOWING SHOULD NOT APPLY. YOUR PROPOSAL WILL BE IGNORED: Your organization holds active CREST, CERT In empanelment, or equivalent nationally recognized cybersecurity accreditation verifiable through a public registry Your organization holds ISO 27001, SOC 2 Type II, or CMMC Level 2 certification for your OWN operations Your team includes a named examiner with CFCE, EnCE, ACE, GCFE, or GCFA certification for the forensic integrity report Your team includes a named examiner with OSCP, CEH, GPEN, or GMOB certification for penetration testing Your organization has previously issued security certifications and compliance certifications that have been presented in legal proceedings, regulatory submissions, or enterprise procurement processes Your organization has conducted prior mobile application security assessments on iOS and Android physical devices Your organization has prior experience with United States federal and state regulatory requirements including COPPA, BIPA, and recording consent law Vendors who cannot satisfy all of these requirements should not apply. AI-generated proposals that do not answer the competency screening questions with specific, verifiable, experience-based answers will not be reviewed. --- MILESTONE CERTIFICATION REQUIREMENT — THIS IS NON-NEGOTIABLE The engagement requires the contractor to issue a written certification on official business letterhead at the completion of each milestone. These are not summary reports. They are formal certifications signed by an authorized officer of the contractor's registered business entity that state specifically what was tested, what passed, and that the tested components are certified as meeting the standards applied in the engagement. MILESTONE 1 CERTIFICATION IS THE MOST CRITICAL. The platform may receive subpoenas or law enforcement requests for recorded evidence during its beta launch period. Milestone 1 specifically covers the chain of custody architecture, evidence package delivery security, and 51-jurisdiction recording consent compliance. The Milestone 1 certification — issued on official letterhead within 15 business days of engagement start — is the document the client presents if compelled to produce recordings to a court or law enforcement agency during beta. Without it the platform has no independent verification of its forensic integrity. If a contractor cannot issue an official business letterhead certification with an authorized officer signature, a unique traceable reference number, and independent verification contact information for each milestone that passes — that contractor cannot perform this engagement. Certifications must be independently verifiable. Law enforcement, attorneys, and courts must be able to contact your organization directly to verify any certification issued under this engagement. --- 1. ENGAGEMENT OVERVIEW A consumer-facing mobile application operating across all 50 US states and Washington DC requires a comprehensive independent security, vulnerability, and compliance testing engagement before official public launch. The platform is a compliance-grade personal safety and forensic evidence documentation system. Its Evidence Vault stores audio and video recordings made under a 51-jurisdiction recording consent compliance engine. Evidence Packages from the platform are submitted to law enforcement officers, licensed attorneys, private investigators, and courts as forensic evidence in civil and criminal legal proceedings. This is not a standard mobile application security audit. The platform's outputs will be used as evidence in criminal prosecutions. The certifications produced under this engagement will be presented to District Attorneys, defense counsel, judges, law enforcement agencies, and enterprise procurement officers. The forensic integrity report produced under this engagement is a court-presentation document that must withstand cross-examination by a defense attorney. Every deliverable in this engagement carries legal evidentiary weight. Vendors who approach this as a routine VAPT engagement are not the right fit. The complete Statement of Work covering all testing requirements, formal test cases, acceptance criteria, milestone deliverables, and contractor qualification requirements will be provided as an attachment to qualified candidates after initial screening. This posting is a summary and screening document only. --- 2. SCOPE SUMMARY — FOUR MILESTONES MILESTONE 1 IS TIME-CRITICAL AND NON-NEGOTIABLE ON TIMELINE Milestone 1 must be completed within 15 business days of the written green light from the client. This timeline is a condition of the engagement, not a target. A contractor who cannot commit to 15 business days for Milestone 1 should not apply. Milestone 1 covers the components required if a court order, subpoena, or law enforcement evidence request arrives during the beta period. The certification issued at Milestone 1 completion is the legal verification document for this scenario. Milestone 1 — Court-Order Readiness Certification — 2,500 USD — 15 Business Days Part A Security Testing: Chain of custody architecture security across four flows — inbound vendor certification document upload (9 test cases including dual-authorization model, revocation, APN port access control, and HASH_COMPROMISED status), outbound evidence package transmission to law enforcement, attorneys, and private investigators (6 test cases), outbound certification document request and delivery (8 test cases including 72-hour link expiry and rejection notification), and SHA-256 cryptographic integrity across all flows (7 test cases including rate limiting and end-to-end hash chain) Part A Security Testing: Evidence Package access and chain of custody penetration testing for all four recipient classes — trusted contacts, licensed attorneys, law enforcement officers, and private investigators — including credential bypass testing and cross-recipient sequential chain integrity Part B Compliance Verification: 51-jurisdiction Compliance Decision Engine verification — JUR-01 through JUR-04 and REC-01 through REC-05 verified across all 51 US states and Washington DC using simulated GPS on physical iOS and Android devices Milestone 1 Deliverable: Interim Chain of Custody and Evidence Delivery Certification issued on official business letterhead, signed by authorized officer, unique reference number, stating what was tested, what passed, what was not tested in this milestone, and the platform version tested --- Milestone 2 — Mobile Application Security Assessment — 2,000 USD — 30 Business Days Part A: Complete iOS and Android mobile application security assessment on physical devices — VAD acoustic embedding data handling, BIPA and state biometric privacy verification across 11 enumerated states, VAD behavioral accuracy testing across 6 scenarios with 80/85 percent acceptance thresholds, Fake Call compliance testing across 5 formal test cases, VAD session start delay gate across 5 scenarios, COPPA compliance across 11 test items, SOS emergency dispatch sandbox testing across 5 controls, iOS silent mode compliance fallback, website penetration testing, enterprise account security across 6 test areas Milestone 2 Deliverable: Mobile Application Security and Vulnerability Assessment Report with separate iOS and Android findings for every single test — no combined results accepted — device make, model, and OS version documented, severity ratings, remediation recommendations, on official letterhead Milestone 2 Certification: Written certification on official letterhead that mobile application security testing for Milestone 2 scope was completed and all Critical and High findings were retested and confirmed resolved --- Milestone 3 — Infrastructure and Financial Security Assessment — 1,500 USD — 40 Business Days Part A: Payment and webhook security — Stripe Connect multi-entity isolation, webhook signature validation, replay attack testing, IRS transfer pricing fourteen-field metadata schema integrity, subscription privilege escalation Part A: Financial infrastructure security — third-party accounting integration injection point and Smart Rules security, six-file multi-entity accounting access isolation, intercompany transaction integrity, financial audit trail immutability and export for CPA review Part A: GPS, live map, and family location security — simulated GPS jurisdiction detection across all 51 states on physical iOS and Android devices, GPS spoofing resistance, five Profile A and B state border scenarios, on-device reverse geocoding verification, live map access control, family GPS at maximum account member count using mixed iOS and Android device configuration Milestone 3 Deliverable: Infrastructure and Financial Security Assessment Report with separate iOS and Android results for all GPS and location tests, financial infrastructure findings documented separately, on official letterhead Milestone 3 Certification: Written certification on official letterhead that infrastructure and financial security testing for Milestone 3 scope was completed and all Critical and High findings were retested and confirmed resolved --- Milestone 4 Final — Full Compliance Verification and Four Certifications — 3,200 USD — 55 Business Days Part B: Full 48-control Implementation QA Compliance Checklist verification across all 10 control categories and all account tiers — consumer, professional, and enterprise — with separate iOS and Android results Part B: BIPA compliance across all 11 enumerated states, VAD behavioral accuracy thresholds confirmation, Washington state announcement-in-recording verification, Delaware profile classification correction, enterprise account compliance, financial compliance including IRS transfer pricing rules and accounting audit trail export, NIST SP 800 series test coverage adequacy gap report Milestone 4 Required Deliverable 1 — FORENSIC INTEGRITY VERIFICATION REPORT: Court presentation standard. CFCE, EnCE, ACE, GCFE, or GCFA certified examiner. Minimum 500-word methodology. Independent SHA-256 verification table for minimum 10 test files. Minimum 5 WORM mutation attack vectors. Minimum 3 Legal Hold bypass scenarios. Expert conclusion statement. Statement of examiner independence. Official letterhead. Milestone 4 Required Deliverable 2 — PART A SECURITY CERTIFICATION: All Critical and High vulnerabilities retested and confirmed resolved. Authorized officer signature. Official letterhead. Milestone 4 Required Deliverable 3 — PART B COMPLIANCE CERTIFICATION: All required controls confirmed operational across all account tiers. Compliance attorney opinion letter reference number cited. Authorized officer signature. Official letterhead. Milestone 4 Required Deliverable 4 — CERTIFICATE OF STANDING: Complete engagement scope covered. All findings status documented. No Critical or High vulnerabilities remain open. All 48 controls and 51 jurisdictions verified. Authorized officer signature. Unique certificate reference number. Official letterhead. ALL FOUR MILESTONE 4 DOCUMENTS ARE REQUIRED SIMULTANEOUSLY. Payment releases only when all four are received and accepted. Receipt of three does not trigger payment. --- 3. ENGAGEMENT PROTOCOL Start-stop engagement: Testing for each milestone begins only upon written green light from the client confirming the development team is ready. Timeline clocks start from the green light date, not the contract start date. Hold notices: The client may pause any milestone if additional development work is required. The vendor must resume within five business days of the new green light. Remediation and recheck: When findings are identified the development team remediates and the vendor retests. After all Critical and High findings are resolved the vendor conducts a full recheck of every previously passing test case within that milestone before issuing the milestone certification. Advancement gate: The vendor may not advance to the next milestone without written client acceptance of the current milestone deliverable, milestone payment released, and written green light for the next milestone. --- 4. CERTIFICATION AUTHORITY REQUIREMENTS The certifications issued under this engagement will be presented in criminal proceedings, civil litigation, law enforcement investigations, and enterprise procurement processes. A certification from a contractor who lacks institutional standing has no value in these contexts. Every certification issued under this engagement must: be on official business letterhead with your registered business address and active website address, be signed by a principal or authorized officer of your registered entity, carry a unique traceable reference number, be independently verifiable by contacting your organization directly, include a dedicated verification contact on the certificate face, and state the name and active credential of every examiner who contributed to the assessment. Your organization must have previously issued certifications that have been accepted in professional or legal contexts. Certifications that have never been presented outside a client's internal files do not satisfy this requirement. --- 5. MANDATORY COMPETENCY SCREENING QUESTIONS THESE QUESTIONS MUST BE ANSWERED IN FULL. INCOMPLETE OR GENERIC ANSWERS WILL RESULT IN DISQUALIFICATION. These questions are designed to verify direct hands-on experience and institutional competency. They cannot be answered satisfactorily using general knowledge or AI-generated text. Each answer must be specific, verifiable, and grounded in your organization's actual prior work. Section A — Forensic Integrity and Chain of Custody Question 1. Describe a specific prior engagement where your organization produced a forensic integrity report for a digital evidence preservation system that was presented in a legal proceeding. Identify the type of proceeding (criminal, civil, regulatory), the role the report played, and the outcome. Do not identify the client by name if confidential but describe the industry and nature of the system. What specific tests did your examiner conduct and what tools were used to independently verify SHA-256 hashes? Question 2. Your organization is about to certify a WORM-protected evidence vault for a consumer mobile application. The vault stores audio and video recordings in 5-to-10-second chunks each with an independent SHA-256 hash. A defense attorney challenges the vault integrity by arguing that the hash verification relies on the platform's own tools rather than independent verification. Walk through your methodology for responding to this challenge. What specific independent tools do you use? How do you document the independence of your verification in a way that satisfies a court? Question 3. Your organization is required to produce a chain of custody log export for a single certification document that was transmitted to a law enforcement officer, then to a District Attorney, then introduced as evidence in a federal criminal proceeding. The export must be suitable for court submission. Describe the format, required fields, and structure of that export document. How does your organization ensure the chain of custody log is append-only and tamper-resistant? What happens to the chain of custody record if the platform is acquired or restructured? Section B — Mobile Application Security Testing Question 4. Your team is testing a Voice Activity Detection engine on a physical iOS device. The engine creates ephemeral acoustic embeddings in RAM during a session and is required to destroy them at session end with no persistent storage and no off-device transmission. Describe your methodology for verifying that the embeddings are truly destroyed at session end and that no data remnants exist. What OS-level tools and memory analysis techniques do you use on iOS specifically? How does your approach differ on Android? Question 5. During a mobile application penetration test you discover that the jurisdiction detection engine — which determines which recording consent profile to apply based on GPS location — can be spoofed by a GPS mock application. The engine defaults to the most permissive recording profile when GPS confidence is low rather than the most restrictive profile. Classify this finding by severity and explain your reasoning. What attack scenarios does this enable? What remediation do you recommend and how do you verify the remediation is effective at the enforcement layer rather than only the UI layer? Question 6. Describe a prior engagement where your organization tested COPPA compliance controls on a consumer mobile application. What specific tests did you conduct? What is the FTC's current civil penalty exposure for COPPA violations and how does that inform your testing priority? What is the specific legal threshold that triggers COPPA obligations and how do you verify a platform's age gate satisfies it? Section C — Compliance Verification and Framework Assessment Question 7. A mobile application operates across all 50 US states and Washington DC. It records audio and video of users and nearby third parties during real-time safety sessions. Different states require different levels of consent — some require only one-party consent, others require all-party consent with an audible notice. The platform has implemented four recording consent profiles driven by a Compliance Decision Engine that detects jurisdiction from GPS. Name three specific states where all-party consent is required, cite the applicable statute for each, and describe what the platform must do technically to satisfy each statute's notice requirements. Then explain what Profile B means in a multi-participant session where participants are in different consent-profile states. Question 8. Your organization has been asked to verify that a platform satisfies NIST SP 800 series control testing requirements across 48 control IDs spanning 10 compliance categories. The existing automated test suite has 185 tests across 37 suites. Describe specifically how you evaluate whether an existing automated test suite meets NIST SP 800 series adequacy standards. What control families are most commonly under-tested in consumer mobile applications? What does your gap report look like and how do you structure your remediation recommendations so a development team can implement them efficiently? Question 9. The platform's Voice Activity Detection engine must satisfy the Illinois Biometric Information Privacy Act. The engine creates in-memory acoustic embeddings during recording sessions and destroys them at session end. The embeddings are never written to persistent storage and never transmitted off-device. A plaintiff's attorney argues the acoustic embeddings constitute biometric identifiers under BIPA because they are derived from biological characteristics. Evaluate this argument. Does the ephemeral in-memory implementation trigger BIPA's requirements? What specific statutory language is determinative? How does your organization document the compliance position in a way that would support a motion to dismiss a BIPA class action? Section D — Certification Issuance and Institutional Standing Question 10. Provide a description of a prior security certification or compliance certification your organization has issued that was subsequently presented in a legal proceeding, regulatory submission, or enterprise procurement process. Describe the certification's content, who signed it, how it was verified by the receiving party, and what role it played. You may redact client names and case identifiers. The description must include the type of proceeding, the jurisdiction, and the specific compliance or security standards the certification addressed. Question 11. A law enforcement officer contacts your organization six months after you issued a Milestone 1 chain of custody certification for a mobile platform. The officer is preparing to testify in a federal criminal proceeding and needs to verify that the certification is authentic, that the named examiner held the stated credentials at the time of testing, and that the platform version tested matches the version from which the evidence was produced. Walk through exactly how your organization handles this verification request. What documentation do you maintain, for how long, and through what internal process does a verification request get handled? Question 12. Your organization has just completed security testing for a milestone and identified three Critical vulnerabilities and four High vulnerabilities. The development team has remediated all seven. You have retested and confirmed all seven are resolved. Before issuing the milestone certification you are required to conduct a full recheck of every test case within the milestone that previously passed. During the full recheck you discover that one remediation introduced a regression — a test case that previously passed now fails. How do you handle this? What does your certification say about the discovered regression? What is your communication process with the client? How do you document the regression discovery in the chain of custody of your own testing records? Section E — Financial Infrastructure and GPS Security Question 13. A multi-entity payment platform uses Stripe Connect with a platform master account and connected accounts for multiple operating entities. A security assessment must verify that the connected account architecture does not allow one entity's payment data to be accessed through another entity's credentials. Describe your methodology for testing this isolation. What specific API calls do you make, what attack vectors do you test, and how do you verify that the IRS transfer pricing metadata stamped on PaymentIntents cannot be stripped or modified through any accessible API endpoint? Question 14. A consumer mobile application must convert GPS coordinates to neighborhood-level descriptors on-device before transmitting location information in SMS alerts. Raw GPS coordinates must never appear in any outbound transmission. Describe your methodology for verifying that raw GPS coordinates are not present in any SMS payload, push notification, or API call under any device state — including degraded GPS reception, background mode, and airplane mode. What tools do you use to intercept and analyze outbound network traffic on physical iOS and Android devices simultaneously? --- 6. PROPOSAL REQUIREMENTS PROPOSALS MISSING ANY OF THESE ELEMENTS WILL NOT BE REVIEWED 1. Full answers to all 14 competency screening questions above. Answers must be specific and experience-based. Generic or AI-generated answers will be identified and disqualified. 2. Your company's full legal registered name, business registration number, jurisdiction of registration, and active public-facing website address. 3. Your organization's accreditation reference number (CREST registration, CERT In empanelment number, or equivalent) and the public verification registry where it can be independently verified. 4. Your organization's own ISO 27001, SOC 2 Type II, or equivalent certification reference number and issuing body. 5. The full name, active certification name, certificate number, issuing body, and expiry date of the forensic examiner who will produce the Milestone 4 forensic integrity report. Minimum credential: CFCE, EnCE, ACE, GCFE, or GCFA. 6. The full name, active certification name, certificate number, issuing body, and expiry date of the lead Part A penetration testing examiner. Minimum credential: OSCP, CEH, GPEN, or GMOB. 7. A SAMPLE PART A SECURITY CERTIFICATION previously issued by your organization on official business letterhead. Client names may be redacted. Must show authorized officer signature, unique reference number, scope certified, and examiner credentials. Required separately from the compliance certification sample. 8. A SAMPLE PART B COMPLIANCE CERTIFICATION previously issued by your organization on official business letterhead. Must show authorized officer signature, unique reference number, compliance framework and control scope verified, and lead examiner credentials. Required separately from the security certification sample. 9. Part A pricing and Part B pricing as separate line items with a combined total not exceeding 9,200 USD. 10. Written confirmation that your organization can issue a Milestone 1 interim certification within 15 business days of the written green light and that this timeline is a firm commitment, not an estimate. 11. Written conflict of interest disclosure confirming no relationship with any competitive platform in the personal safety application or evidence documentation market. --- 7. COMPLETE SOW PROVIDED TO QUALIFIED CANDIDATES The complete Statement of Work — covering all formal test cases, acceptance criteria, contractor qualification requirements, milestone deliverable specifications, start-stop protocol, remediation and recheck procedures, chain of custody requirements, and certification issuance standards — will be provided to candidates who pass initial screening. Initial screening is based on the competency questions above and the proposal requirements above. Candidates who are screened in will receive the full SOW and will be asked to confirm their proposal covers the complete scope before award. Do not request the full SOW before submitting your proposal. The SOW will not be shared with candidates who have not submitted a complete proposal meeting all requirements above.

  • $9,200.00

    Fixed-price
  • Expert
    Experience Level
  • Remote Job
  • Ongoing project
    Project Type
Skills and Expertise
Mandatory skills
Vulnerability Assessment
Activity on this job
  • Proposals:Less than 5
  • Last viewed by client:5 hours ago
  • Interviewing:
    1
  • Invites sent:
    2
  • Unanswered invites:
    2
About the client
Member since Jul 14, 2025
  • USA
    Abingdon 1:37 PM
  • $77K total spent
    54 hires, 16 active

Explore similar jobs on Upwork

Cybersecurity Expert for IoT and Hardware HackingFixed-price‐ Posted 1 month ago
C
C++
Internet of Things
Lead Generation
Internet Marketing
Cloud Computing
Cloud Security Framework
Network Security
Solution Architecture
Security Infrastructure
Application Security
Security Engineering

How it works

  • Post a job icon
    Create your free profile
    Highlight your skills and experience, show your portfolio, and set your ideal pay rate.
  • Talent comes to you icon
    Work the way you want
    Apply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
  • Payment simplified icon
    Get paid securely
    From contract to payment, we help you work safely and get paid securely.
Want to get started? Create a profile

About Upwork

  • Rating is 4.9 out of 5.
    4.9/5
    (Average rating of clients by professionals)
  • G2 2021
    #1 freelance platform
  • 49,000+
    Signed contract every week
  • $2.3B
    Freelancers earned on Upwork in 2020

Find the best freelance jobs

Growing your career is as easy as creating a free profile and finding work like this that fits your skills.

Trusted by

  • Microsoft Logo
  • Airbnb Logo
  • Bissell Logo
  • GoDaddy Logo