# Product Security Engineer (PSIRT - Product Security Incident Response Team)

**Company:** [Replit](https://hotfix.jobs/companies/replit)
**Location:** Foster City, CA
**Role:** Security Engineering
**Salary:** $180k – $325k/yr
**Skills:** Hackerone, Owasp Top 10, GCP, CI/CD, Python, Go, Bash, SOC 2, ISO 27001, SIEM, Cloud Logging, OAuth, OIDC, Cve, Pentesting
**Posted:** 2026-04-20

> Leads vulnerability response for cloud-native AI platform, managing intake, triage, validation, remediation coordination, and bug bounty programs. Requires expertise in reproducing web/app/cloud vulnerabilities and operating disclosure processes.

## Job Description

## What You’ll Do

### Vulnerability Intake, Triage & Validation
- Manage intake from bug bounty platforms (HackerOne preferred), customer reports, automated scanners, pentest reports, and coordinated disclosure channels.
- Independently validate, reproduce, severity-score, and document findings.
- Identify duplicates and maintain a clean vulnerability records pipeline.
- Assess relevance and exploitability using OWASP, cloud misconfiguration patterns, and identity/authentication/authorization risks (Oauth, OIDC).

### Remediation Coordination & SLA Management
- Work with Engineering, SecOps, IT, SRE, and Cloud Security to confirm product impact and drive remediation.
- Provide detailed reproduction steps, proof-of-concepts, and technical analyses.
- Track SLAs, remediation progress, regression testing, and systemic improvements.
- Support SOC 2, ISO 27001, and pentest evidence needs as part of vulnerability lifecycle governance.

### Bug Bounty & Vulnerability Disclosure Program Management
- Design and evolve the bug bounty program, including scope, rules, and reward structures.
- Manage platform selection, private vs. public launches, and community engagement.
- Communicate clearly with researchers, provide clarifications, and handle feedback or disputes.
- Determine reward payouts, bonus decisions, and recognition for top contributors.

### Coordinated Disclosure & CVE Management
- Lead the coordinated vulnerability disclosure process for internal and external findings.
- Negotiate disclosure timelines with researchers and partners.
- Coordinate CVE assignments and publications, and prepare customer/public advisories.

## Required Skills
- Experience running or triaging for bug bounty programs (HackerOne ideally).
- Strong ability to triage, validate, and reproduce vulnerabilities independently.
- Deep understanding of web/app/cloud vulnerability classes, **OWASP Top 10**, misconfigurations, authN/Z issues, etc.
- Familiarity with cloud platforms (**GCP** preferred) and SaaS architectures.
- Strong understanding of **CI/CD** workflows, code structure, and software engineering fundamentals.

## Nice to Have
- Scripting or automation experience (**Python**, **Go**, **Bash**).
- Pentesting background or exposure to offensive security work.
- Familiarity with compliance frameworks such as **SOC 2** and **ISO 27001**.
- Experience authoring public advisories or CVE writeups.
- Hands-on experience with **SIEM**, **Cloud Logging**, and investigative tooling.

## Similar roles

- [Network Security Engineer](https://hotfix.jobs/jobs/e7a9e818-ec25-409d-a1d9-0de7d952564d) - Lightning AI - San Francisco, CA - $180k – $220k/yr
- [Security Engineer - Azure Government](https://hotfix.jobs/jobs/77997ce4-7f3e-4114-90ae-2b590d6da619) - xAI - Palo Alto, CA - $180k – $440k/yr
- [Security Engineer, Infrastructure Security](https://hotfix.jobs/jobs/07228b27-48b3-41af-8e9a-208076e63fac) - OpenAI - Remote - $184k – $385k/yr
- [Software Engineer, Infrastructure Security](https://hotfix.jobs/jobs/afa352ff-09e0-4e37-8fa3-ab06fe7448dc) - OpenAI - Remote - $184k – $385k/yr
- [Security Engineer, Privacy](https://hotfix.jobs/jobs/21a248c5-bba3-4587-adc6-041fbbed1e1a) - Ramp - New York, NY - $185k – $375k/yr

**Apply:** https://hotfix.jobs/jobs/4a459143-2760-42fb-8536-f8b48519d936
**Canonical:** https://hotfix.jobs/jobs/4a459143-2760-42fb-8536-f8b48519d936