Request for Proposal (RFP)/Quote: Web App and API Penetration Testing


As many would know, OpenMRS is a globally utilized open-source software dedicated to managing medical records in low-resource settings. Our community Reference Application, known as the “RefApp,” is a crucial component with a Java backend, a Javascript Single Page Application (primarily React) served via a REST/FHIR API, and data storage in MySQL/MariaDB/PostgreSQL databases. The RefApp is taken and adapted around the world by organizations and then deployed on-premises, in regional government clouds, or with cloud vendors. Having already conducted Burp Suite scanning for the web application, we are now seeking comprehensive, human-driven ethical penetration testing for our core community-maintained RefApp product. This request encompasses both Web App and API Penetration Testing.

Scope of Work

We are looking for a skilled and experienced penetration testing team to thoroughly assess the security of our RefApp. The testing should cover vulnerabilities in the Java backend, the React-based Single Page Application, and the REST/FHIR API. Additionally, the penetration testing should encompass the security of data storage in MySQL/MariaDB/PostgreSQL databases. The objective is to identify and mitigate potential security risks, ensuring the robustness and integrity of our RefApp. The vendor should have skilled professionals experienced in testing Java backends, JavaScript applications (React), REST/FHIR APIs, and databases like MySQL/MariaDB/PostgreSQL.


  1. Comprehensive penetration testing of the Java backend, React-based Single Page Application, and REST/FHIR API.
  2. Evaluation of the security of data storage in MySQL/MariaDB/PostgreSQL databases.
  3. Ethical hacking to identify vulnerabilities and potential exploits.
  4. Detailed reporting on identified vulnerabilities, their severity, and recommended mitigations.
  5. Testing to be conducted in a way that minimizes disruption to the ongoing operations of the RefApp.
  6. Willing to communicate with the OpenMRS Global Support Team across time zones as-needed (primarily EST-mornings).
  7. Desired: Expertise in healthcare systems and open-source applications.

Proposal Submission

Interested parties are invited to submit their proposals by Wednesday March 13, 2024. Proposals can be simple and straightforward but should include: details on the testing methodology, relevant team expertise, cost estimates, and timeline (completion date should be May 15th at the latest). Please send your proposals to Program Officer Erica Kigotho at

Proposed Timeline:

  • Proposal Submission Deadline: March 13 2024
  • Vendor Selection: March 22 2024

We appreciate your interest in contributing to the security enhancement of OpenMRS, and we look forward to receiving your proposals!

Best Regards,

The OpenMRS Global Support Team


This topic was automatically closed after 60 minutes. New replies are no longer allowed.