We protect the organizations that protect people.
Ahimsa Ecosystems is a Ukrainian non-profit civil-society organization. We provide pro-bono defensive security assessments to Ukrainian civil-society organizations and membership NGOs that hold sensitive member data but lack the resources to secure it. We find the gaps before attackers do, and we hand each organization a clear, prioritized way to fix them.
Security for those who cannot afford it
Membership NGOs, advocacy groups, and grassroots initiatives run on small budgets and volunteer effort. Their systems still hold the personal data of thousands of members. A single broken access-control flaw can expose all of it. We close that gap, at no cost to them, drawing on the professional cybersecurity background of our team.
Defensive, authorized, minimal-impact
Access-control review
We review membership and signup platforms for broken access control (BOLA/IDOR): the flaws that let one user reach another's records or administrative functions.
Responsible disclosure
We report every issue privately to the organization with a clear, server-side remediation plan, and we verify the fix once it ships.
Strict scope and privacy
We test only systems we are authorized to assess, use minimal non-destructive requests, and exclude all session tokens and raw personal-data values from our reports.
- Only systems we own or are explicitly authorized to assess.
- One-request reproductions the organization can run itself.
- No testing of third parties without permission; no exfiltration of real user data.
- Human-in-the-loop on every action.
A critical flaw, found and fixed
With the founder's authorization, we assessed the membership platform of FreePeople (freepeople.org.ua), a Ukrainian civil-society membership organization, and identified and responsibly disclosed a critical broken-access-control vulnerability: any authenticated non-admin user could reach administrative APIs exposing the personal data of roughly 4,000 members. We delivered prioritized server-side remediation guidance, and the issue has since been remediated. The assessment used only minimal, non-destructive requests, and our report deliberately excluded all session tokens and raw personal-data values.
Yevgen Melnyk
Head of organization
Our security work is led by Yevgen Melnyk, who brings a professional cybersecurity background. He co-founded and was CEO of ROMAD Cyber Systems, an endpoint-protection company recognized in Security Current's CISO-judged "Security Shark Tank" at RSA Conference 2017 and 2016, and named a MarketsandMarkets EDR "Key Innovator." He conducts coordinated vulnerability disclosure on HackerOne (profile ymelnyk) and leads Ahimsa's pro-bono assessments for Ukrainian civil-society organizations.
Work with us
If you run a Ukrainian civil-society organization and want a defensive security review, or if you would like to support this work, get in touch.