Product Security Engineer - Bug Bounty
VARITE INC · Lehi, UT · 1 wk ago
HybridEngineering$80–$84.5/hrFull-time
About the role
**** is seeking a Product Security Engineer to support our Bug Bounty program on a 6-month contract engagement, backfilling a team member on leave. You will be the frontline responder for external vulnerability reports submitted through the program, working closely with internal engineering and security teams to ensure timely, accurate triage and resolution.
Responsibilities
- Triage incoming vulnerability reports submitted via the bug bounty platform, assessing validity, impact, and scope.
- Assign CVSS scores and severity ratings accurately, following ****'s internal severity guidelines and industry standards.
- Reproduce proof-of-concept (PoC) exploits to validate reported vulnerabilities across web, API, and mobile surfaces.
- Communicate clearly and professionally with external researchers: request clarifications, provide status updates, and manage expectations.
- Cook up coordination with product engineering teams to route confirmed vulnerabilities for remediation.
- Identify duplicate, out-of-scope, or informational reports and close them with clear, respectful explanations.
- Contribute to internal documentation, triage runbooks, and severity calibration guidelines.
- Flag systemic or critical findings to Bug Bounty team for escalation as needed.
Requirements
- 3+ years of experience in application security, penetration testing, or a bug bounty / vulnerability disclosure role.
- A strong understanding of CVSS v3.1 scoring and hands-on experience applying it to real-world vulnerabilities.
- Proficiency in common web vulnerability classes: XSS, SQL injection, SSRF, IDOR, authentication flaws, and business logic issues.
- The ability to reproduce and validate PoC exploits using tools such as Burp Suite, browser DevTools, curl, and custom scripts.
- Familiarity with bug bounty platforms (e.g., HackerOne, Bugcrowd) and responsible disclosure processes.
- Solid written communication skills able to write clear, constructive responses to researchers of all skill levels.
- Familiarity with attacker techniques used by external researchers against LLM systems and generative AI products.
- Knowledge of application security vulnerabilities (OWASP Top 10) and mitigation techniques.
Nice to have
- Experience with cloud environments (AWS, Azure, GCP) and API security testing.
- Hands-on experience in penetration testing of AI/ML and LLM-powered products, including chat interfaces, agentic workflows, and inference APIs.
- Prior participation in bug bounty programs as a researcher.
- Familiarity with OWASP Top 10, CWE taxonomy, and CVE assignment processes.
- Background working within a large enterprise or SaaS security organization.
Benefits
We offer a comprehensive benefits package designed to support the health, well-being, and financial security of our employees and their families. Eligible employees may receive:
- Health Insurance: Medical, dental, and vision coverage
- Retirement Plans: Participation in a company-sponsored retirement savings plan
- Legal Service Plans: Offering access to attorneys for legal advice and representation.