Senior Security Engineer — Postgres RLS Review for Fintech Platform (Fractional)
Only freelancers located in the U.S. may apply.U.S. located freelancers only
Description (~30-50 hours over 3 months): We're building a compliance-critical capital-markets platform (commercial real estate) on Postgres/Supabase — multi-tenant, invitation-based access, append-only audit trail, signed-link document access. We need a security-focused senior engineer as our independent data-layer reviewer: you review and sign off, you don't write the product code. The codebase is written by AI coding agents under a governed pipeline (agents open PRs only; every merge is human; security-surface work happens in gated, supervised sessions). Your job is to audit agent-written SQL and policies with full rigor — provenance is a reason for more scrutiny. If AI-written code puts you off, or impresses you into leniency, this isn't the engagement. The work, in three review gates: Foundation pass (first, ~8–16 hrs, scheduling in 2–4 weeks): schema for two distinct permission families; invitation-based RLS policies plus their 36-test adversarial suite (negative tests, fail-closed lint, no-auto-expose probes); append-only audit enforcement; signed-URL issuance module. This review gates real customer data entering the system. Includes a short threat-model working session at the start. App-surface pass (~4–8 weeks out, ~6–12 hrs): storage/VDR access paths, document permissions, onboarding gates. Visibility pass (~8–12 weeks out, ~8–16 hrs): criteria-based visibility — the "wrong stranger sees a teaser" bug class. Optional light advisory retainer between gates. You have: Deep, hands-on Postgres RLS experience in production multi-tenant systems — you can articulate how RLS schemes fail silently and how to test for it Supabase-specific experience strongly preferred (auth model, storage signed URLs, PostgREST exposure surface) An adversarial review style — you try to break isolation, not read for style Experience with regulated or financial data (audit trails, access evidence) preferred Clear written findings a non-technical founder can act on Engagement: hourly, no FTE conversion expected. Findings delivered as written reports; fixes are implemented by our pipeline and re-reviewed by you. Remote, async-friendly, US-hours overlap helpful.
- Less than 30 hrs/weekHourly
- 1-3 monthsDuration
- ExpertExperience Level
$90.00
-
$160.00
Hourly- Remote Job
- Ongoing projectProject Type
Skills and Expertise
Activity on this job
- Proposals:20 to 50
- Last viewed by client:yesterday
- Interviewing:0
- Invites sent:0
- Unanswered invites:0
About the client
- United States12:07 PM
Explore similar jobs on Upwork
How it works
Create your free profileHighlight your skills and experience, show your portfolio, and set your ideal pay rate.
Work the way you wantApply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
Get paid securelyFrom contract to payment, we help you work safely and get paid securely.
About Upwork
- 4.9/5(Average rating of clients by professionals)
- G2 2021#1 freelance platform
- 49,000+Signed contract every week
- $2.3BFreelancers earned on Upwork in 2020
Find the best freelance jobs
Growing your career is as easy as creating a free profile and finding work like this that fits your skills.
Trusted by