3 min read

Request for Proposals (RFP): Independent Security Audit for Bayanat

Executive Summary

The Syria Justice and Accountability Centre (SJAC) invites qualified vendors to conduct an independent security audit of Bayanat, an open-source web application used by human rights organizations and international institutions for documenting, analyzing, and preserving conflict-related data.

The goal of this engagement is to identify security weaknesses across Bayanat’s architecture, codebase, APIs, authentication and authorization workflows, data handling mechanisms, and integrations. Vendors will be provided a testing environment, full source-code access and documentation to enable an in-depth, white-box evaluation. The engagement will include vulnerability assessment, hands-on exploitation attempts, verification of secure coding practices and assessment of configuration, and testing for logic flaws or misuse scenarios.

The selected vendor will collaborate closely with SJAC’s engineering team to validate findings, support remediation efforts, and ultimately deliver a final security assessment report suitable for publication, in accordance with the organization’s contractual obligations. 

Background & Context

Bayanat (https://github.com/sjacorg/bayanat) is an open-source web application developed and maintained by SJAC to support documentation of human rights violations, transitional justice, missing persons investigations, and collaborative research. It serves diverse users (analysts, moderators/admins, external researchers, legal teams) and manages highly sensitive data, including PII, multimedia evidence, structured metadata, and operational logs.

Documentation is available at https://docs.bayanat.org/.

Scope of Work

In-Scope Components

  • Source Code Review (available at https://github.com/sjacorg/bayanat)
  • Application & API Tests
  • Supply chain & dependencies
  • Deployment methods & configurations
    • Native installation, scripts and configurations
    • Docker / docker-compose (container hardening, least-privilege, secrets, networking)
    • Cloud images (AMIs/others)
  • Logging & monitoring
  • Technical documentation (deployment, security, maintenance) (available at https://docs.bayanat.org/); excluding end-user and analysis methodologies guides. 

Standards & Methodology

The vendor must follow the methodologies and testing categories defined in the OWASP Web Security Testing Guide (WSTG), including (but not limited to):

  • Information Gathering
  • Configuration and Deployment Management Testing
  • Identity Management Testing
  • Authentication Testing
  • Authorization Testing
  • Session Management Testing
  • Input Validation and Injection Testing
  • API and Web Services Testing
  • Client-Side Testing
  • Business Logic Testing
  • Error Handling and Logging Testing
  • Server-Side Application Testing

Additional standards: Vendors may apply additional standards to address areas not fully covered by OWASP WSTG, provided these are agreed upon in advance with SJAC and outlined in the proposal. Any supplementary standards must complement OWASP WSTG without reducing its coverage or rigor.

Deliverables

  1. Comprehensive initial audit report, including
    • Detailed vulnerability findings with description, evidence, and replication steps/scripts.
    • Clear remediation guidance for each finding.
    • Severity rating (e.g., CVSS), impact assessment, and prioritization.
    • Dependency risk summary.
  1. Weekly status updates
  2. Remediation Verification (Retest)
    • One round of retesting is required and included in the fixed price.
    • Report indicating fixed, partially fixed, not fixed, and regression checks.
  1. Final report with executive summary and technical findings (publishable version)

Pricing

Vendors must provide a fixed fee covering the full scope including one retest and all deliverables. The proposal must remain valid for a minimum of 90 days.

Evaluation Criteria

Proposals will be assessed based on the strength and clarity of the technical approach and methodology, the vendor’s experience with similar security audits, overall cost and value, the quality and completeness of documentation and reporting, and the proposed timeline and responsiveness to project requirements.

Timeline

The engagement will follow the schedule below. Actual dates may be adjusted based on vendor availability and coordination with SJAC’s engineering team.

  • RFP Published: 17 April 2026
  • RFP Closed: 15 May 2026

Phase 1 — Penetration Testing & Initial Report: 1-19 June 2026

The vendor performs a comprehensive white-box penetration test of Bayanat, including source-code review, dynamic testing, dependency analysis, container review, configuration assessment, and manual exploitation attempts.

At the conclusion of this phase, the vendor delivers an Initial Penetration Test Report detailing findings, severity ratings, and recommended remediations.

Phase 2 — Remediation & Fixes: 22 June - 17 July 2026

SJAC’s engineering team implements fixes for all identified vulnerabilities (except those explicitly accepted by SJAC).

During this period, the vendor remains available for clarification, triage discussions, and interim validation of complex issues as needed.

Phase 3 — Retest & Final Report: 20-31 July 2026

The vendor conducts a full retest of all issues addressed during Phase 2 to verify remediation.

Upon completion, the vendor delivers the Final Penetration Test Report, confirming resolution status and documenting any remaining risks.

Contact

For any questions about this RFP please contact us at: akareem [at] syriaaccountability [dot] org.

Proposal Submission Instructions

Proposals must be submitted in PDF format by 15 May 2026 to hiring [at] syriaaccountability [dot] org..

Include the following:

  • Cover Letter
  • Methodology & workplan
  • Team & roles
  • Project management & timeline
  • Technical needs from SJAC
  • Sample reports
  • Past performance & references
  • Pricing
  • Assumptions & exceptions