Vercel - Senior Product Security Engineer

• 5+ years • Web Tech Stack Proficiency: Strong familiarity with JavaScript/TypeScript and Node.js runtime security. Experience with modern web frameworks (ideally Next.js or React and Node-based frameworks) and understanding of their security considerations. You can read and review code in these technologies to spot security flaws. • Web Tech Stack Proficiency: • Threat Modeling & SDLC Expertise: Demonstrated ability to perform threat modeling and architectural risk analysis for complex product. You understand how to integrate security into a fast-paced SDLC without slowing it down. Experience implementing or working with secure development lifecycle practices (secure design, code review, pentesting, etc.) is required. • Threat Modeling & SDLC Expertise: • Security Tools & Automation: Hands-on experience with product security tooling such as static product security testing (SAST), dynamic testing (DAST), dependency vulnerability scanners, and CI/CD pipeline security integration. Familiarity with GitHub Advanced Security or similar tools for code scanning and secret detection is a strong plus. • Security Tools & Automation: • Open Source and Supply Chain Security: Knowledge of open-source security best practices. You have experience dealing with open-source dependencies and package management security (e.g., handling vulnerability advisories, using tools like Dependabot or Snyk). Bonus if you have contributed to or maintained open-source projects, especially security-related ones. • Open Source and Supply Chain Security: • Bug Bounty & Vulnerability Management: Exposure to running or participating in a bug bounty program or vulnerability disclosure process. You know how to assess externally reported issues, reproduce and validate vulnerabilities, and coordinate fixes. You stay up-to-date on the latest vulnerabilities (OWASP Top 10, emerging threats) and methods to mitigate them. • Bug Bounty & Vulnerability Management: • Cloud & Serverless Security Understanding: Solid understanding of cloud architecture and serverless environments from a security perspective. You are familiar with securing products on cloud platforms (e.g., securing serverless functions, protecting APIs, managing secrets and keys). Experience with related cloud security concepts or tools is a plus. • Cloud & Serverless Security Understanding: • Technical Leadership: Proven ability to drive security initiatives and influence engineering teams to adopt best practices. You can work cross-functionally to achieve security goals – for example, rolling out a new security tool or standard across many engineers. (While we emphasize technical skills, this senior role requires you to effectively communicate and lead within the organization to get things done.) • Technical Leadership: • Bonus If You: • Have prior software development experience beyond security (e.g. as a frontend or backend engineer). Being able to empathize with developers and write or contribute code will help you integrate security seamlessly into development. • Hold relevant security certifications or recognitions (for example, OSCP, OSWE, CISSP, or notable bug bounty hall of fame entries). These demonstrate your depth of knowledge, though they are not required. • Experience with security policy-as-code or infrastructure as code security (for instance, using tools like Open Policy Agent, Terraform security checks, etc.). This shows you can bring security into the automation and infrastructure realm. • Have built or implemented security features in a product (such as authentication systems, encryption, secure CI/CD pipelines) or contributed to security community projects/tools. • Are an active participant in the security community (e.g., contributing to open source security projects, writing blog posts or research, attending or speaking at security conferences). A passion for continuous learning and sharing knowledge is always a plus on our team.