Application Security Engineer, AI-Assisted Vulnerability Management

Summary
The Eclipse Foundation is one of the world’s largest open source software foundations, with a proven track record of enabling developer-focused open source innovation earned over 19 years. The Foundation is the home of numerous industry-leading projects and collaborations including Adoptium, Software Defined Vehicle, Eclipse IDE, IOT and Jakarta EE.  Supported by over 350 members globally, the Foundation has an established international reach and reputation. 

The Role
We are looking for an Application Security Engineer to design, build, and operate AI-assisted vulnerability management workflows across Eclipse Foundation open source projects. This role combines application security, security automation, and practical use of large language models to help identify, triage, and remediate vulnerabilities at a scale that would be difficult to achieve manually.

This is not a role focused on casually prompting a chatbot. You will build pipelines, integrate AI-assisted analysis into developer and CI/CD workflows, evaluate findings critically, reduce false positives, and collaborate with project maintainers to land real fixes. The goal is to deliver measurable improvements in how the Foundation discovers, prioritizes, and resolves security issues across its project portfolio.

Location and Term Role
This is an initial 12-month fixed-term role, fully remote and open to candidates located in the European Union, Canada, and the United States. Depending on organizational needs, funding, performance, and mutual fit, there may be an opportunity for renewal or transition to an ongoing/permanent position.


Responsibilities

• Build and integrate AI-assisted security tooling
  Design and implement pipelines that use large language models, AI-assisted code analysis, and traditional security tools to scan Eclipse projects for vulnerabilities, including code-level flaws, dependency risks, and misconfigurations.
• Develop scalable triage workflows
  Create workflows that separate true positives from noise, prioritize findings based on severity and exploitability, and produce actionable reports for project teams.
• Drive remediation
  Work with project maintainers to propose fixes, submit pull requests, and validate that vulnerabilities have been properly resolved.
• Evaluate and improve tooling
  Benchmark AI-assisted approaches against traditional SAST, DAST, SCA, and dependency-scanning tools. Measure false-positive rates, assess usefulness, and continuously refine prompts, retrieval strategies, evaluation methods, and model or tool selection.
• Support responsible AI use in security workflows
  Help define safe and appropriate use of AI tooling, including the handling of sensitive vulnerability information, project source code, disclosure timelines, and data-sharing constraints.
• Document and share knowledge
  Produce internal playbooks, technical write-ups, and metrics dashboards so the security team can sustain and extend this work over time.
• Coordinate with the broader security team
  Participate in vulnerability disclosure processes, CVE management, and security advisories as needed.

Success in This Role
Success in this role means helping the Eclipse Foundation improve the speed, accuracy, and consistency of vulnerability discovery and remediation. This includes reducing triage time, improving true-positive rates, increasing the number of actionable findings delivered to projects, and helping maintainers land verified fixes. The role requires careful human review of AI-generated findings before they are shared with maintainers. We value accuracy, reproducibility, and respectful collaboration over the volume of reports produced.

Education
A degree in software engineering, computer science, cybersecurity, or a related field is welcome. Equivalent practical experience is also highly valued. Relevant certifications are considered an asset but are not required.

Desired Skills and Experience
We are looking for someone who is curious, pragmatic, and service-oriented. The successful candidate will be comfortable investigating technical issues, asking thoughtful questions, documenting work carefully, and helping others understand and address security risks.

This role requires someone who can operate with a high level of trust, communicate calmly during security events, and balance security priorities with the realities of a collaborative, mission-driven open source environment. You should be comfortable working with distributed teams and contributing to a culture where security enables participation, transparency, and resilience. You should also be comfortable communicating with volunteer and professional maintainers in a constructive, respectful, and actionable way

Must-Have Qualifications

• Strong application security background, including familiarity with common vulnerability classes such as OWASP Top 10 and CWE, secure coding practices, and practical exploitability analysis.
• Hands-on experience conducting security code reviews, audits, or assessments using SAST, DAST, SCA, dependency scanning, or other code analysis tools.
• Ability to build and integrate developer-facing tooling using languages such as Python, Java, TypeScript, or similar.
• Practical experience applying LLMs or AI-assisted tools to code analysis, vulnerability research, developer productivity, or security automation.
• Ability to evaluate AI-generated findings critically, measure false positives, and design human-in-the-loop review workflows.
• Familiarity with open source development workflows, including Git, GitHub or GitLab, pull requests, issue tracking, and CI/CD.
• Strong written communication skills, including the ability to write actionable security findings, advisories, issues, and remediation guidance for maintainers with varying security backgrounds.

Nice-to-Have Qualifications

• Experience contributing to or maintaining open source projects.
• Familiarity with the Eclipse Foundation ecosystem, including projects such as Eclipse IDE, Jakarta EE, Adoptium, Eclipse Mosquitto, or Software Defined Vehicle.
• Experience with tools such as CodeQL, Semgrep, GitHub Advanced Security, osv-scanner, Trivy, Grype, Syft, Dependabot, or similar.
• Background in prompt engineering, retrieval-augmented generation, or model evaluation for code-related tasks.
• Experience with vulnerability disclosure and CVE processes.
• Knowledge of software supply-chain security practices and technologies such as SBOM, Sigstore, SLSA, OSV, or OpenSSF Scorecard.
• Experience building dashboards, metrics, or reporting workflows for security programs.

Working Style
We are looking for someone who values practical impact over theoretical findings. You should be comfortable working across many projects, dealing with incomplete information, validating results carefully, and communicating findings in ways that help maintainers take action.

This role requires good judgment, discretion with sensitive vulnerability information, and the ability to balance security urgency with open source community realities.
Location and Terms

Compensation and Benefits
We offer highly competitive compensation along with a comprehensive benefits package. We thank all applicants for their interest; however, only those to be interviewed will be contacted. For more information about Eclipse Foundation, please visit our website at https://eclipse.org/

Eclipse respects the dignity and independence of people with disabilities, and is committed to providing accommodation and support to persons with disabilities throughout any recruitment process, once made aware of a need for accommodation. If you require any special accommodation or support during the recruitment process, please indicate in your email to us.