| Hi OP, I'm Erik CEO of IncludeSec. We do many FOSS audits for Mozilla, OpenTechFund, etc. I can give you some ranges and points of consideration from what I'm seeing in the industry today. First consideration point is quality of the team and the seniority of the people ACTUALLY DOING THE TESTING (a lot of pentest shops do bait and switch senior presenting but juniors do the actual work.) Next consideration is location of company; EMEA and Asia are lower hourly rates than US teams. Next consideration is scope. Do you want the front door checked, or the entire house inside and out? In this case Cure53 spent 25 work days on this asmt, which gives quite a lot of time to analyze the software and check lots of different avenues of attack. Next consideration is type of attacks to try and security assessment methodology. Do you want just fuzzing? Perhaps you can get that for free from Google's OSS-Fuzz, they will sponsor people to set up your FOSS app with their fuzzer via CI/CD. Do you want static analysis from some big COTS vendor like coverity/fortify/checkmarx/etc. that could be useful and they often have discounted/free scans they will do for FOSS. Or perhaps you want super smart hacker pentesters to code review and dynamically attack your app (that's what my team does) Next consideration is publicity, do you want this reporting public? Some charge extra for that. There's a million other thing to consider when hiring a pentester, but this message is already too long. To give you a ballpark, estimate $10k to $40k for small projects, $40k to $80k for medium sized projects, and $80k to $150k for large projects. YMMV of course, but those ranges and the consideration points should get you well on your way. Hit us up if you need more tips, happy to help via email <myfirstname>@includesecurity.com |