Senior Product Vulnerability Manager
HID · Austin, TX · 6 days ago
Engineering$170k/yrFull-time
About the role
As part of the Product Security and Privacy team, you will own and operate the corporate-wide Product Vulnerability Management program.
You will establish the organization’s technical and operational capabilities to detect, triage, prioritize, and respond to product vulnerabilities across a diverse portfolio of products and technologies.
Accountable for the consistency, scalability, and defensibility of vulnerability management practices, you will ensure processes, tooling, and outputs are standardized, audit-ready, and aligned with regulatory expectations, including the EU Cyber Resilience Act (CRA).
Responsibilities
- Define and maintain the enterprise Product Vulnerability Management framework, including processes for intake, triage, prioritization, remediation tracking, and disclosure.
- Establish standardized vulnerability triage and risk prioritization methodologies that work across the organization.
- Define and implement the corporate-wide vulnerability management policies and standards ensuring our Product Security Incident Response processes are appropriate with the organization’s expectations and regulatory requirements.
- Owning the Coordinated Vulnerability Disclosure (CVD) program, including external intake channels, researcher engagement, and coordination.
- Translate regulatory requirements (e.g., EU Cyber Resilience Act) into operational processes, controls, and reporting obligations.
- Define and manage the enterprise tooling strategy for vulnerability detection (e.g., SAST, DAST, SCA, container scanning), including selection, configuration, and integration into CI/CD pipelines.
- Establish minimum tooling and coverage baselines across product types and ensure consistent adoption.
- Define and operationalize SBOM-driven vulnerability management practices, including monitoring and response to third-party component vulnerabilities.
- Develop scalable playbooks, guidance, and decision frameworks enabling product teams to independently triage and respond to vulnerabilities.
- Define training requirements and develop enablement materials for product teams on vulnerability identification, triage, and response processes.
- Define metrics, reporting, and dashboards to measure vulnerability management effectiveness, including SLA adherence, backlog, and remediation timelines.
- Provide executive-level reporting and insights on product vulnerability risk posture.
- Define governance processes, including exception handling, risk acceptance, and escalation pathways.
- Lead audit and assessment readiness related to vulnerability management processes and outputs.
- Build and lead a small team responsible for program operations, tooling, and disclosure coordination.
- Partner with Product Security Architects, Engineering, Legal, and Compliance teams to ensure alignment and effective execution across the organization.
- Act as the central authority for product vulnerability management practices across the organization.
- Enable a federated operating model where product teams own remediation while adhering to centralized standards and processes.
- Drive consistency in vulnerability handling across a large and diverse product portfolio.
- Ensure vulnerability management practices scale effectively across hundreds of products and multiple technology domains.
- Provide strategic direction for continuous improvement of vulnerability management capabilities, tooling, and processes.
- Support regulatory audits and customer inquiries related to vulnerability management and disclosure practices.
Qualifications
- Experience designing, building, or scaling a vulnerability management or PSIRT program within a product security or application security context.
- Strong understanding of the vulnerability lifecycle, including detection, triage, prioritization, remediation tracking, and disclosure.
- Working knowledge of application security principles and common vulnerability classes (e.g., OWASP Top 10).
- Experience with vulnerability detection tooling (SAST, DAST, SCA, container scanning) and integration into development pipelines.
- Experience defining or applying vulnerability scoring methodologies (e.g., CVSS) in a product context.
- Familiarity with Coordinated Vulnerability Disclosure (CVD) processes and external researcher engagement.
- Familiarity with regulatory requirements related to product security and vulnerability management, such as the EU Cyber Resilience Act (CRA).
- Experience working within or supporting Secure Software Development Lifecycle (SSDL/SSDLC) programs.
- Strong ability to define processes, standards, and governance models that scale across large organizations.
- Excellent communication skills with the ability to translate technical risk into business impact.
- Experience operating in large-scale, multi-product environments with distributed engineering teams is preferred.
- Experience establishing or managing SBOM and software supply chain vulnerability programs is preferred.
- Experience with vulnerability disclosure programs or bug bounty platforms is preferred.
- Experience working in regulated industries or environments with strong compliance requirements is preferred.
- Experience with Agile/SAFe methodologies is preferred.
- Experience leading or mentoring small, high-impact teams is preferred.
Pay
The base salary in the United States is $170,000 USD to $200,000 USD.
Schedule
This opportunity may be open to flexible working arrangements.