Senior Product Security Engineer, Bug Bounty Operations

We’re looking for a Senior Product Security Operator to lead our bug bounty and vulnerability management programs.

As a member of the Product Security team, you will report to the Senior Manager of Product Security. You will be a primary driver of our vulnerability management program, leveraging your expertise to assess contextual impact from both your experience and offensive engagements and other internal and external sources. You will act as a primary point of contact with security researchers in our bug bounty program. Security at DO means solving incredibly complex problems at a high-scale that have real impact for our customers, our products, and for the larger internet community.

We want people who are passionate about making the internet a safer place for everyone. You will also have opportunities to conduct internal ethical hacking activities collaboratively alongside engineering teams to uncover vulnerabilities and weaknesses in the enterprise and consumer product environments. We believe that finding an issue is only the beginning of our work; we value cross-team coalitions and collaboration with the business to find reasonable remediations and view this post-engagement collaboration, regardless of whether the issue is an internal pentest finding or a bug bounty submission, as crucial to success. Your work will make our million+ customers more secure and will help ensure that DigitalOcean is a respected contributor to the broader security community.

What You’ll Do:

Lead our bug bounty and vulnerability management programs (85%)

• Act as the primary point of contact to security researchers engaged in our bug bounty program
• Assess and triage new vulnerabilities to the vulnerability management program to determine contextual impact to the business
• Educate security and engineering teams on topical vulnerability patterns, in coordination with teams such as fraud & abuse and threat intelligence

Occasionally perform penetration testing engagements and find vulnerabilities in software, systems, and networks (10%)

• Collaborate with security and engineering teams during key product launches to set scope, objective, and execution for penetration testing engagements, and keep stakeholders informed.
• Develop tools, methodologies, and infrastructure to support penetration testing engagements
• Provide holistic assessments of security layers across infrastructure, application, people, and process

Cultivate and promote a security culture (5%)

• Champion an internal security culture (developer training, internal CTFs, etc.)
• Help DigitalOcean engineers understand how security events impact them. How does Retbleed impact DigitalOcean’s fleet? How should the company respond to the next xz-style backdoor?

There’s no coding expectation in this role beyond scripting common pentest tools, but if interested you will have the opportunity to collaborate with our wider Security Engineering team on creating paved roads, secure defaults, and security automation, amongst other projects.

What You’ll Add to DigitalOcean:

Required qualifications:

• 3+ years experience operating a paid enterprise bug bounty program
• Expert understanding of software security architecture and design, threat modeling, and mitigations for common application security issues (e.g. OWASP Top Ten mitigations)
• A record of partnering with internal engineering teams to tackle security problems across an entire stack with empathy and creativity. Engineering teams are our partners, not our adversaries. Submitting findings in a Jira project is not the end of our task; it is the beginning of a conversation, and we look forward to collaborating with engineering teams to design and determine appropriate mitigations.

Preferred qualifications:

• Experience as a bug bounty researcher submitting reports to bug bounty programs.
• Contributions to the security community, such as open source tools, research papers, or conference talks.
• Familiarity with a variety of vulnerability and risk assessment frameworks, such as CWSS, FAIR, and SSVC
• While not required or expected, please highlight if you have any GIAC, eLearning, or similar certifications relevant to web, network, and systems penetration testing (OSCP, eCPPT, GPEN, CPTS, BSCP, etc.)

Why You’ll Like Working for DigitalOcean:

• We innovate with purpose. You’ll be a part of a cutting-edge technology company with an upward trajectory, who are proud to simplify cloud and AI so builders can spend more time creating software that changes the world. As a member of the team, you will be a Shark who thinks big, bold, and scrappy, like an owner with a bias for action and a powerful sense of responsibility for customers, products, employees, and decisions. 
• We prioritize career development. At DO, you’ll do the best work of your career. You will work with some of the smartest and most interesting people in the industry. We are a high-performance organization that will always challenge you to think big. Our organizational development team will provide you with resources to ensure you keep growing. We provide employees with reimbursement for relevant conferences, training, and education. All employees have access to LinkedIn Learning's 10,000+ courses to support their continued growth and development.
• We care about your well-being. Regardless of your location, we will provide you with a competitive array of benefits to support you from our Employee Assistance Program to Local Employee Meetups to flexible time off policy, to name a few. While the philosophy around our benefits is the same worldwide, specific benefits may vary based on local regulations and preferences.
• We reward our employees. The salary range for this position is $133,700 - $167,100 based on market data, relevant years of experience, and skills. You may qualify for a bonus in addition to base salary; bonus amounts are determined based on company and individual performance. We also provide equity compensation to eligible employees, including equity grants upon hire and the option to participate in our Employee Stock Purchase Program. 
• We value diversity and inclusion. We are an equal-opportunity employer, and recognize that diversity of thought and background builds stronger teams and products to serve our customers. We approach diversity and inclusion seriously and thoughtfully. We do not discriminate on the basis of race, religion, color, ancestry, national origin, caste, sex, sexual orientation, gender, gender identity or expression, age, disability, medical condition, pregnancy, genetic makeup, marital status, or military service.

*This is a remote role.

#LI-Remote