Jobs · Engineering · Washington

Senior Staff Product Security Engineer | Product Security Incident Response Team (PSIRT)

ServiceNow · Kirkland, WA · 1 wk ago
HybridEngineering$201k–$352k/yrFull-time

About the role

The ServiceNow Security Organization (SSO) delivers world-class, innovative security solutions to reduce risk and protect the company and our customers. We enable our customers to migrate their most sensitive data and workloads to the cloud, accelerating our business so that we are the most trusted SaaS provider. This role is for a recognized expert who can operate independently and as part of a team on the most significant security issues facing the platform—vulnerabilities that require evaluating intangibles.

Responsibilities

  • Lead Through Significant Security Events
    • Provide additional response coverage outside of normal working hours for significant product vulnerabilities as they emerge.
      • Demonstrate technical and organizational leadership during these events—bringing structure and clear decision-making under pressure.
        • Partner with incident commanders, business information security leadership, engineering, and customer-facing teams to maintain clear ownership, workstream prioritization, and hand-offs during these events.
  • Reduce Exposure Window
    • Drive coordinated response across affected releases, balancing risk and remediation feasibility.
      • Leverage an understanding of product development cycles and engineering/product partnerships to move fixes through the release pipeline without stalling on organizational boundaries.
    • Verify fix completeness and guard against incomplete mitigations before release.
  • Drive the CVE & Coordinated Disclosure Process
    • Own ServiceNow's CVE disclosure process—assigning CVEs, scoring, advisory content, and publication timing.
      • Collaborate with external security partners, vendors, and researchers on coordinated disclosures, aligning timelines and messaging across parties.
    • Conduct technical accuracy reviews of external advisories, researcher write-ups, and joint disclosure content to ensure correctness before publication.
      • Represent PSIRT's technical position in multi-party coordinated disclosures and researcher engagements.
  • Pursue After-Action Outcomes & Continuous Improvement
    • Author postmortems and drive lessons learned to closure following product security incidents.
      • Participate in retrospectives following significant product security events, translating findings into concrete process and technical improvements.
    • Contribute to partner teams tracking product security risk themes and trends across the portfolio.
      • Contribute to SDLC improvement areas, feeding incident learnings upstream into secure development practices.

Qualifications

  • Minimum 12 years of related experience with a Bachelor's degree; or 8 years with a Master's degree; or a PhD with 5 years of experience; or equivalent experience.
    • Minimum 5 years of auditing source code for security vulnerabilities.
  • Demonstrated leadership during significant security events or major incidents, with willingness to participate in on-call.
  • Ability to read and comprehend Java and JavaScript code.
    • Strong understanding of common Java and JavaScript vulnerabilities.
  • Proficiency in scripting in both Python and JavaScript for data gathering, processing, and visualization.
  • Development of proof-of-concept exploits for web application vulnerabilities.
    • Written and verbal communication of complex security risk clearly to both technical teams and leadership.
  • Experience with leading fix implementation and release coordination across engineering, product, and test/release teams.
  • Experience leading a CVE disclosure process, including CVE assignment, scoring (CVSS), and advisory publication.

Preferred Qualifications

  • Experience in a PSIRT or similar function for a major software or SaaS platform.
    • Recognized expertise in product security incident response, vulnerability research, or application security within a software or SaaS environment.
  • Experience conducting vulnerability assessments on the ServiceNow platform.
  • Experience with emerging threats: AI-specific attack vectors, software supply chain security, and SDLC tooling security.
  • Experience with cloud infrastructure (AWS, Azure, GCP) and containerized environments.
  • Relevant security certifications (e.g., OSWE) or demonstrated equivalent expertise.

Similar jobs