Skip to content
VercelVercelUnited States

Product Security Engineer

Product Security Engineer driving threat modeling, secure code review, open-source security, SDLC tooling, and bug bounty management for Vercel's web platform built on Next.js and Node.js. Requires 5+ years securing web products with strong JavaScript/Node.js and cloud security expertise.

Salary not listed
Remote5+ YOESecurity Engineering

About the role

What You Will Do

Threat Modeling & Design Review: Partner with engineering and product teams to perform threat modeling for new and existing features. Identify potential risks early in the design phase and recommend security controls or design changes to mitigate threats.

Secure Code Review: Conduct secure code reviews and security assessments on products and services built with Next.js, Node.js, and serverless backend. Uncover code-level vulnerabilities, provide actionable remediation guidance to developers, and establish best practices for secure coding.

Open Source Security Management: Oversee Vercel’s open-source security efforts. Monitor and coordinate fixes for vulnerabilities in third-party open-source packages. Ensure the security of open-source projects maintained and published (e.g., Next.js). Work with maintainers and the community on responsible disclosure and patching.

SDLC Tooling & Automation: Evaluate, select, and integrate security tools into the Software Development Life Cycle. Drive implementation of automated security checks using GitHub Advanced Security (GHAS), static analysis, dependency scanning, and secret detection tools in CI/CD pipelines and GitHub workflows.

Bug Bounty Program Management: Own and expand Vercel’s bug bounty program. Triage and validate incoming vulnerability reports, ensure critical issues are promptly addressed, and coordinate cross-team remediation efforts. Refine policies, scope, and engagement to encourage high-quality submissions.

Cross-Organizational Security Initiatives: Lead and contribute to security projects spanning multiple teams. Drive company-wide upgrades to secure frameworks, implement new authentication/authorization mechanisms, or roll out security awareness programs. Act as a security champion across the organization.

Customer-Facing Security Support: Work with customer success and product marketing on security-related initiatives. Contribute to security documentation and whitepapers, assist with customer security questionnaires or audits, and communicate security features to build customer trust.

About You

  • 5+ years of experience in a Product Security role (or related field) with a track record of securing web products and services
  • Strong familiarity with JavaScript/TypeScript and Node.js runtime security
  • Experience with modern web frameworks (ideally Next.js or React) and understanding of their security considerations
  • Demonstrated ability to perform threat modeling and architectural risk analysis
  • Experience implementing secure development lifecycle practices (secure design, code review, pentesting)
  • Hands-on experience with SAST, DAST, dependency vulnerability scanners, and CI/CD pipeline security integration
  • Familiarity with GitHub Advanced Security or similar tools for code scanning and secret detection
  • Knowledge of open-source security best practices and experience with dependency/package management security tools (Dependabot, Snyk)
  • Exposure to running or participating in a bug bounty program or vulnerability disclosure process
  • Solid understanding of cloud architecture and serverless environments from a security perspective
  • Proven ability to drive security initiatives and influence engineering teams to adopt best practices

Skills

JavaScriptTypeScriptNode.jsNext.jsReactThreat ModelingSASTDASTGithub Advanced SecurityDependabotSnykBug BountyOwasp Top 10Serverless SecurityCi/Cd Security
Forus

Security Program Manager

ForusNew York, NY

Own end-to-end compliance programs (SOC 2, HIPAA, HITRUST), build customer trust function, implement automation, and partner with engineering on controls for a healthcare AI platform handling protected health information.

Salary not listed
On-site4+ YOESecurity Engineering
Anthropic

Safeguards Enforcement Analyst, Account Takeover & Credential Abuse

AnthropicSan Francisco, CA +2

Safeguards Enforcement Analyst focused on account takeover and credential abuse. Investigate compromise incidents, design remediation workflows, partner with engineering on detection, enforce AI usage policies, and develop scalable enforcement programs for platform safety.

245k – 285k
HybridSecurity Engineering
Zocdoc

Application Security Engineer

ZocdocUnited States

Application Security Engineer partnering with engineering teams to embed security into the SDLC, triage SAST/SCA findings, provide remediation guidance on OWASP issues, maintain security docs/playbooks, support governance/audits, and integrate GenAI tools while building AI governance guardrails.

100k – 140k
RemoteSecurity Engineering
Cloudflare

Detection & Mitigation Engineer

CloudflareUnited States

Security Detections Engineer identifying attacker TTPs, building real-time detections, and mitigating threats/abuse across Cloudflare's global platform using data analysis, SQL, scripting, and threat intelligence. Requires strong analytical and communication skills.

Salary not listed
HybridSecurity Engineering
Mintlify

Security & Compliance Operations Manager

MintlifySan Francisco, CA

Own and run Mintlify's end-to-end security and compliance programs (SOC 2, ISO 27001/42001, GDPR, Microsoft SSPA) as the first dedicated GRC Program Manager. Administer Drata, manage audits/vendors/evidence, handle customer-facing compliance, and coordinate with engineering.

120k – 180k
On-site3+ YOESecurity Engineering