Jobs · Engineering · Texas

Senior Product Vulnerability Manager

HID · Austin, TX · 6 days ago
Engineering$170k/yrFull-time

About the role

As part of the Product Security and Privacy team, you will own and operate the corporate-wide Product Vulnerability Management program.

You will establish the organization’s technical and operational capabilities to detect, triage, prioritize, and respond to product vulnerabilities across a diverse portfolio of products and technologies.

Accountable for the consistency, scalability, and defensibility of vulnerability management practices, you will ensure processes, tooling, and outputs are standardized, audit-ready, and aligned with regulatory expectations, including the EU Cyber Resilience Act (CRA).

Responsibilities

  • Define and maintain the enterprise Product Vulnerability Management framework, including processes for intake, triage, prioritization, remediation tracking, and disclosure.
  • Establish standardized vulnerability triage and risk prioritization methodologies that work across the organization.
  • Define and implement the corporate-wide vulnerability management policies and standards ensuring our Product Security Incident Response processes are appropriate with the organization’s expectations and regulatory requirements.
  • Owning the Coordinated Vulnerability Disclosure (CVD) program, including external intake channels, researcher engagement, and coordination.
  • Translate regulatory requirements (e.g., EU Cyber Resilience Act) into operational processes, controls, and reporting obligations.
  • Define and manage the enterprise tooling strategy for vulnerability detection (e.g., SAST, DAST, SCA, container scanning), including selection, configuration, and integration into CI/CD pipelines.
  • Establish minimum tooling and coverage baselines across product types and ensure consistent adoption.
  • Define and operationalize SBOM-driven vulnerability management practices, including monitoring and response to third-party component vulnerabilities.
  • Develop scalable playbooks, guidance, and decision frameworks enabling product teams to independently triage and respond to vulnerabilities.
  • Define training requirements and develop enablement materials for product teams on vulnerability identification, triage, and response processes.
  • Define metrics, reporting, and dashboards to measure vulnerability management effectiveness, including SLA adherence, backlog, and remediation timelines.
  • Provide executive-level reporting and insights on product vulnerability risk posture.
  • Define governance processes, including exception handling, risk acceptance, and escalation pathways.
  • Lead audit and assessment readiness related to vulnerability management processes and outputs.
  • Build and lead a small team responsible for program operations, tooling, and disclosure coordination.
  • Partner with Product Security Architects, Engineering, Legal, and Compliance teams to ensure alignment and effective execution across the organization.
  • Act as the central authority for product vulnerability management practices across the organization.
  • Enable a federated operating model where product teams own remediation while adhering to centralized standards and processes.
  • Drive consistency in vulnerability handling across a large and diverse product portfolio.
  • Ensure vulnerability management practices scale effectively across hundreds of products and multiple technology domains.
  • Provide strategic direction for continuous improvement of vulnerability management capabilities, tooling, and processes.
  • Support regulatory audits and customer inquiries related to vulnerability management and disclosure practices.

Qualifications

  • Experience designing, building, or scaling a vulnerability management or PSIRT program within a product security or application security context.
  • Strong understanding of the vulnerability lifecycle, including detection, triage, prioritization, remediation tracking, and disclosure.
  • Working knowledge of application security principles and common vulnerability classes (e.g., OWASP Top 10).
  • Experience with vulnerability detection tooling (SAST, DAST, SCA, container scanning) and integration into development pipelines.
  • Experience defining or applying vulnerability scoring methodologies (e.g., CVSS) in a product context.
  • Familiarity with Coordinated Vulnerability Disclosure (CVD) processes and external researcher engagement.
  • Familiarity with regulatory requirements related to product security and vulnerability management, such as the EU Cyber Resilience Act (CRA).
  • Experience working within or supporting Secure Software Development Lifecycle (SSDL/SSDLC) programs.
  • Strong ability to define processes, standards, and governance models that scale across large organizations.
  • Excellent communication skills with the ability to translate technical risk into business impact.
  • Experience operating in large-scale, multi-product environments with distributed engineering teams is preferred.
  • Experience establishing or managing SBOM and software supply chain vulnerability programs is preferred.
  • Experience with vulnerability disclosure programs or bug bounty platforms is preferred.
  • Experience working in regulated industries or environments with strong compliance requirements is preferred.
  • Experience with Agile/SAFe methodologies is preferred.
  • Experience leading or mentoring small, high-impact teams is preferred.

Pay

The base salary in the United States is $170,000 USD to $200,000 USD.

Schedule

This opportunity may be open to flexible working arrangements.

Similar jobs