• Projects 29
  • Rating 4.4
  • Rating 5 148

Budget: 254200 UAH Deadline: 18 days

For the described scope, my fixed fee is USD 6200 and the timeline is 18 calendar days after NDA, staging access, test accounts, and written rules of engagement. It includes black-box testing, BaaS and RLS policy review, 9 serverless endpoints, the executive summary, a severity-ranked report, and one re-test pass after fixes.

WE can take this as a security validation of the database-as-API model, not as a generic scanner run. The main work is to prove whether the public client key plus row-level policies can be abused by direct API calls, role switching, object enumeration, broken ownership checks, and client-side control bypasses. I can provide a redacted report structure in the platform - findings, evidence, impact, reproduction steps, remediation, and retest status. Small note - if you expect a formal certified OSWE-led attestation, please say so before selection, because that changes the team mix and price.

Two questions before final locking
> Which BaaS platform is used - Supabase, Firebase, PostgREST, or another one
> Will the staging copy include representative roles and synthetic PII-like data, without real customer records

Relevant Ingello examples
> https://business.ingello.com/platforma - corporate platform architecture with departments, roles, workflows, and data access logic

Mobile app with admin
  • Projects 7
  • Rating 5.0
  • Rating 6 195

Budget: 50400 UAH Deadline: 12 days

Will run a two-phase BaaS security audit covering RLS policy bypass, privilege escalation across your 3-4 roles, and OWASP Top 10 against the ~30-table auto-generated REST API plus 9 serverless endpoints. Phase 1 black-box: Burp Suite Pro to intercept client-key traffic, direct PostgREST/Supabase query probing to test whether row-level policies hold when bypassing the app layer entirely. Phase 2 gap review follows your internal findings handoff, then a retest pass after fixes. Is the BaaS layer Supabase specifically, or a different database-as-API platform?

  • Projects 5
  • Rating 5.0
  • Rating 673

Budget: 2000 UAH Deadline: 7 days

Hello, I worked on a security audit for an e-commerce platform with over 15,000 users that used Firebase with row-level security policies. I found 8 critical vulnerabilities in the database-as-API architecture and helped protect the PII of over 400,000 clients.

What specific BaaS platform is used in your CRM system? This will help me better understand the specifics of the row-level access policies that need to be tested.

I suggest we get in touch; I will provide you with a free technical consultation and we can create a development plan + I will tell you about my team!

  • Projects -
  • Rating -
  • Rating 525

Budget: 8000 UAH Deadline: 10 days

I have experience in pentesting web applications and auditing BaaS/Database-as-API (Supabase, PostgREST, Firebase).

Phase 1 (black box): Burp Suite Pro - intercepting the client key, direct requests to the REST API bypassing the UI to test RLS bypass. Assessment of OWASP Top 10: broken access control, auth/session flaws, injections, XSS. Checking privilege escalation between 3-4 roles, RLS gaps (USING(true), gaps in auth.uid()), PII exposure.

Phase 2: verification of your internal hardening, identifying residual issues.

Result: report Critical/High/Medium/Low + executive summary + free retest after fixes. I will sign the NDA as the first step.

  • Projects 4
  • Rating 4.9
  • Rating 976

Budget: 50000 UAH Deadline: 10 days

Good day. My name is Dmytro. I am interested in your project as I have experience in auditing and security testing of web applications, including systems based on Supabase, Firebase, PostgreSQL, serverless architectures, and Database-as-API models.
I am particularly interested in your approach with two-phase verification, as it allows for a truly independent assessment without the influence of prior internal conclusions. I can focus primarily on checking row-level security (RLS) policies, data isolation between user roles, potential privilege escalation paths, bypassing client-side restrictions, and direct interaction with the database API.
As part of the audit, I can perform:
— testing according to the OWASP Top 10 methodology;
— analysis of access control between roles and tenants;
— verification of the BaaS platform configuration;
— audit of RLS policies and their bypass;
— checking the operation of public client keys;
— analysis of personal data protection (PII);
— security testing of APIs and serverless endpoints;

  • Projects -
  • Rating -
  • Rating 196

Budget: 131200 UAH Deadline: 14 days

we already have a practical BaaS row-level-security audit playbook, test matrix, and report template, so it can be adapted quickly for your CRM and discussed here now =)
fixed-fee works for this scope.
for about 30 exposed tables, 9 serverless endpoints, 3-4 roles, and a re-test, my estimate is USD 3,200 and 14 calendar days.
NDA is fine before stack details are shared.

my approach would be two passes.
- black-box testing against OWASP risks, auth, session handling, broken access control, role escalation, PII exposure, and direct REST queries against the database-as-API layer
- gap review after your internal findings are shared, with validation of what is really remediated and what still bypasses policy controls

reports usualy include severity, exploit path, affected asset, evidence, business impact, clear remediation steps, and an executive summary for non-technical leadership.

  • Projects -
  • Rating -
  • Rating 626

Budget: 16000 UAH Deadline: 12 days

▎ Hello! ▎ ▎ Your main risk area is exactly my specialization: the "database as API" model with a public client key, where access is strictly maintained through RLS policies. Here, server-side assumptions do not apply: the frontend interacts directly with the auto-REST API, and the only thing that truly protects the rows is the correctness of the policies. ▎ ▎ What I will specifically check (Phase 1, black box, only your staging): ▎ • RLS in practice: for each of ~30 tables — whether the policies isolate rows/roles, whether there are tables without policies / with USING(true) / with gaps in auth.uid() checks. Direct reading and writing through REST bypassing the UI. ▎ • Escalation between 3–4 roles: manipulation of JWT claims, role confusion, access to others' rows and columns. ▎ • IDOR and enumeration through auto-generated REST (predictive ids, filters, embedded resources). ▎ • ~9 serverless functions: authorization on each, leakage of service-role/admin key to the client, injections, SSRF. ▎ • PII: which tables expose personal data without proper policy; storage buckets; encryption at rest; backups; network exposure. ▎ • OWASP Top-10 for web applications (auth/sessions, access control, injections, XSS). ▎ ▎ Process tailored to your format: first, an independent black box pass without your notes (Phase 1), then a comparison with your internal hardening and search for residual issues (Phase 2) — without duplicating what is already known. I do not expose any real PII: I work on synthetic data/calculations, not on content. I test only against the provided staging; production — only with written permission. ▎ ▎ Result: a report with conclusions categorized by severity (Critical/High/Medium/Low), each with specific remediation steps; a separate executive summary for non-technical management; a free retest after your fixes. ▎ ▎ Clarifications on the scope: ▎ 1. Does staging contain synthetic data instead of real PII? ▎ 2. For ~9 serverless functions — is code review needed or just a black box from the outside? ▎ ▎ I will show a sample report (demonstration of format and methodology on a training example) in personal messages — there is no place to attach it in the application, and uploading a "spreadsheet" here is inappropriate. We will discuss full technical details after an NDA, which I am ready to sign as the first step.

Proposals concealed

The list does not show proposals concealed by the client or freelancer with a Plus profile, as well as proposals violating rules

Current freelance projects in the category Databases & SQL

1 July
30 June
26 June