Product Security Engineer (Node.js)
Мэтч & Сопровод
Для мэтча с этой вакансией нужен Plus
Описание вакансии
TL;DR
Product Security Engineer (Node.js): Driving critical product security initiatives across ’s products and platform with an accent on threat modeling, open-source software security, and secure code review. Focus on integrating security into the SDLC, managing bug bounty programs, and ensuring the security of serverless infrastructure.
Location: Remote if beyond commuting distance to San Francisco, New York, London, or Berlin; otherwise hybrid with in-office anchor days on Monday, Tuesday, and Friday.
Salary: $208,000 - $312,000 (San Francisco base pay)
Company
is an agentic infrastructure company providing a platform for developers and agents to ship high-performance web products, including the team behind Next.js, v0, and AI SDK.
What you will do
- Perform threat modeling and design reviews for new and existing features to mitigate risks early in the design phase.
- Conduct secure code reviews for products and services built with Next.js, Node.js, and serverless backends.
- Oversee open-source security efforts, monitoring third-party packages and ensuring the security of projects maintains.
- Evaluate and integrate security tools (SAST, DAST, secret detection) into CI/CD pipelines and GitHub workflows.
- Own and expand the bug bounty program, triaging reports and coordinating remediation across teams.
- Lead cross-organizational security projects and collaborate with customer success on security documentation and audits.
Requirements
- 5+ years of experience in Product Security or a related field with a track record of securing web products.
- Proficiency in JavaScript, TypeScript, and Node.js runtime security, with experience in modern web frameworks like Next.js or React.
- Demonstrated ability to perform threat modeling and integrate security into a fast-paced SDLC.
- Hands-on experience with product security tooling such as SAST, DAST, and dependency vulnerability scanners.
- Knowledge of open-source supply chain security and experience handling vulnerability advisories.
- Solid understanding of cloud architecture and serverless environments from a security perspective.
Nice to have
- Prior software development experience as a frontend or backend engineer.
- Relevant security certifications such as OSCP, OSWE, or CISSP.
- Experience with policy-as-code or infrastructure-as-code security (e.g., Open Policy Agent, Terraform).
- Active participation in the security community or contributions to open-source security projects.
Culture & Benefits
- Competitive compensation package including equity.
- Inclusive healthcare package.
- Mentorship and budgets for professional events and skill development.
- Flexible time off.
- Provision of necessary gear and a WFH budget for home office setup.
Будьте осторожны: если работодатель просит войти в их систему, используя iCloud/Google, прислать код/пароль, запустить код/ПО, не делайте этого - это мошенники. Обязательно жмите "Пожаловаться" или пишите в поддержку. Подробнее в гайде →