Product Security Engineer

Remote $208k–$312k middle 5 days ago full-time quality 8.6/10
JavaScriptTypeScriptNode.jsNext.jsCI/CDSASTDASTGitHub Advanced Security

What You Will Do:

  • Threat Modeling & Design Review: Partner with engineering and product teams to perform threat modeling for new and existing features. Identify potential risks early in the design phase and recommend security controls or design changes to mitigate threats.
  • Secure Code Review: Conduct secure code reviews and security assessments on products and services built with Next.js, Node.js, and our serverless backend.
  • Open Source Security Management: Oversee Vercel’s open-source security efforts, including monitoring and coordinating fixes for vulnerabilities in third-party open-source packages.
  • SDLC Tooling & Automation: Evaluate, select, and integrate security tools into our Software Development Life Cycle.
  • Bug Bounty Program Management: Own and expand Vercel’s bug bounty program, triaging and validating incoming vulnerability reports.
  • Cross-Organizational Security Initiatives: Lead and contribute to security projects that span multiple teams and disciplines.
  • Customer-Facing Security Support: Work closely with customer success and product marketing on security-related initiatives that impact our users.

About You:

  • Experienced Security Engineer: 5+ years of experience in a Product Security or related role, with a track record of securing web products and services.
  • Web Tech Stack Proficiency: Strong familiarity with JavaScript/TypeScript and Node.js runtime security.
  • Threat Modeling & SDLC Expertise: Demonstrated ability to perform threat modeling and architectural risk analysis for complex products.
  • Security Tools & Automation: Hands-on experience with product security tooling such as SAST, DAST, and CI/CD pipeline security integration.
  • Open Source and Supply Chain Security: Knowledge of open-source security best practices.
  • Bug Bounty & Vulnerability Management: Exposure to running or participating in a bug bounty program.
  • Cloud & Serverless Security Understanding: Solid understanding of cloud architecture and serverless environments from a security perspective.
  • Technical Leadership: Proven ability to drive security initiatives and influence engineering teams.

Benefits:

  • Competitive compensation package, including equity.
  • Inclusive Healthcare Package.
  • Learn and Grow - mentorship and events to build your network and skills.
  • Flexible Time Off.
  • WFH budget to outfit your space as needed.

Similar jobs

Before you apply

  • Legitimate employers never ask you to pay anything to apply or get hired.
  • Never share seed phrases or private keys. No real job needs them.
  • Do not install software ("test tasks", "trading tools", "video call clients") sent during hiring.
  • Check that the application page's domain really belongs to Vercel.