Project Title: End-to-End Penetration Testing (Web + Mobile + API) for Tele-Consultation & Hospital Management Platform Project Overview We are seeking an experienced cybersecurity professional or firm to perform a comprehensive Vulnerability Assessment and Penetration Test (VAPT) on our digital health ecosystem. The system consists of a Flutter-based mobile app (Android/iOS) and a web portal hosted on AWS. The goal is to conduct a real-world attack simulation and identify vulnerabilities across all layers—network, application, and data. Scope of Engagement The engagement will cover end-to-end testing for the following assets: Web Applications [Link 1]: Patient, Doctor, and Hospital portals [Link 2]: Admin panel for internal management [Link 3]: Admin dashboard (explicitly included) Tech Stack: NextJS frontend, NodeJS backend, MySQL database Mobile Applications Flutter-based apps (Android & iOS) for Patient, Doctor, and Hospital roles Integrations: Video consultation (e.g., Jitsi Meet), social logins (Google/Facebook/Apple/WhatsApp), OTP/token authentication Backend: NodeJS with MongoDB APIs & Cloud Infrastructure RESTful APIs (NodeJS) AWS load balancer and backend servers MySQL and MongoDB databases Testing Methodology Frameworks: OWASP WSTG, OWASP MASVS/MSTG, OWASP API Top 10 Tools: Burp Suite Pro, OWASP ZAP, MobSF, Nmap, Postman/Insomnia, Frida, Objection, APKTool Approach: Combination of manual and automated testing to assess: Authentication and authorization flaws Business logic vulnerabilities Session management issues Data exposure and encryption weaknesses Input validation and rate limiting gaps Cloud misconfigurations and access control All tests must be non-destructive, ensuring no data deletion or service disruption. Testing will be coordinated with our technical team. Deliverables Comprehensive VAPT Report – includes executive summary, CVSS scoring, technical findings, risk analysis, and proof-of-concept (PoC) evidence. Remediation Guidance – actionable fixes for each vulnerability. Retest Report – validation after we apply patches. Formal Certificate of Testing Completion – confirming compliance with OWASP standards. Data Deletion Certificate – confirming secure data disposal post-engagement. Timelines Initial Testing: To be defined by freelancer Remediation Retest: After patch completion Total Duration: ASAP Progress Updates: Every 1–2 days Technical Questionnaire Please confirm the following when submitting your proposal: Question Response (Yes/No & Details) Do you have ₹10L Professional Indemnity Insurance? Do you have ₹10L Cyber Liability Insurance? Can you share a sample redacted VAPT report from a previous engagement? Do you have access to Mac/iOS devices for testing? Estimated schedule and tools you plan to use? Compliance & Confidentiality Strict NDA applies; all discovered data is confidential. Compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Indian privacy regulations. All data must be encrypted, stored within India, and securely destroyed post-engagement. Additional Notes Environment: Containerized staging setup (access credentials shared after onboarding). Specialized tools permitted, provided all methodologies and findings are documented in the final deliverables. Communication: Expect structured coordination with our DevSecOps lead. Ideal Freelancer Proven experience in full-stack VAPT (web, mobile, and cloud) Familiarity with healthcare or telemedicine data compliance is a plus Certifications such as OSCP, CEH, or GPEN preferred