Application Security Engineer

About Vac:

Vac builds public good protocols for the decentralised web. We do applied research based on which we build protocols, libraries and publications.

Vac’s R&D Service Units are integral to supporting IFT (The Institute of Free Technology) projects by researching and developing base components and secure, unbiased protocols.

The Vac Security service unit provides comprehensive support to IFT projects by conducting security audits and helping develop robust security plans. In addition to assisting IFT projects, the security team also supports other IFT services by offering expert guidance on security best practices and risk management strategies. This collaborative approach ensures that all aspects of the IFT ecosystem benefit from enhanced security measures.

By identifying potential vulnerabilities, assessing risks, and implementing effective security solutions tailored to specific needs, the Vac Security service unit plays a crucial role in strengthening the overall security posture of IFT.

The role:

We are looking for an Application Security Engineer to join our security service unit. In this role, you’ll perform in-depth reviews of critical code (with a focus on low-level languages like Rust, Nim, and C++), identify both code-level and protocol-level vulnerabilities, and support incident response efforts.

You’ll collaborate closely with development teams to remediate security issues and ensure best practices are followed. You’ll also play a key role in preparing for external security audits—defining audit scope, organising technical documentation, and working directly with auditors to ensure valuable and actionable results.

This is a hands-on position for someone passionate about secure software development and proactive risk mitigation.

Key responsibilities:

• Perform in-depth manual and automated reviews of source code (with a focus on low-level languages such as Rust, Nim, and C++) to identify security vulnerabilities and logic flaws.
• Analyse and review critical code paths for potential weaknesses.
• Identify and assess both code-level vulnerabilities (e.g., buffer overflows, injection flaws) and protocol-level issues (e.g., insecure cryptographic implementations, protocol misconfigurations).
• Execute incident response activities, including detection, analysis, containment, and recovery, while documenting findings and lessons learned for continuous improvement.
• Collaborate with development and product teams to remediate identified vulnerabilities, provide security guidance, and ensure secure coding practices are followed.
• Define clear audit objectives and scope for external audits, focusing on the most critical components and protocols.
• Prepare and organise all relevant documentation (architecture diagrams, codebase, threat models, protocol specifications) to facilitate an efficient and valuable external audit process.
• Engage with external auditors early to clarify expectations and provide necessary context, ensuring the audit delivers actionable results.
• Address and remediate issues identified in previous audits, and document improvements to demonstrate ongoing security maturity.

You ideally will have:

• Minimum of 5 years of experience in Web3 security engineering, with proven experience securing blockchain protocols, smart contracts, or cryptographic systems.
• Proficiency in low-level programming languages (Rust, Nim, C++).
• Expertise in secure coding practices, including identification of code/protocol-level vulnerabilities (e.g., buffer overflows, injection attacks) and code analysis/debugging.
• Experience with manual/automated code review techniques and penetration testing in Web3 ecosystems.
• Familiarity with cryptographic protocols, secure protocol design, and blockchain/distributed systems security.
• Incident response capabilities (detection, analysis, containment, recovery).
• Experience collaborating with development/product teams to remediate vulnerabilities, including SSDLC processes and external audit preparation.
• Strong documentation and communication skills for technical materials and stakeholder interactions (internal teams, auditors).
• Deep interest in blockchain technology and decentralisation.

Bonus points:

• Experience with static and dynamic analysis tools (e.g. CodeQL, Valgrind).
• Knowledge of formal verification methods and tools.
• Background in penetration testing or red teaming.
• Ability to educate and train others on security best practices.
• Contributions to open-source security projects or published security research.

Hiring process:

• Interview with our POps team.
• Interview with the Vac Security unit lead.
• Take home assignment + discussion with a team member from the Vac Security unit.
• Interview with a Vac team lead.