Strong knowledge of Kubernetes Terraform and cloud platforms (AWS GCP Azure) ... Click to read more.

As a senior member of the team you will lead cross-organizational security projects and champion a security-first culture within Vercel’s engineering organization. This is a high-impact role with broad scope – your work will not only secure Vercel’s core infrastructure and products (built with Next.js Node.js and serverless architecture) but also influence the security of the open-source ecosystems we contribute to.If you’re based within a pre-determined commuting distance of one of our offices (SF NY London or Berlin) the role includes in-office anchor days on Monday Tuesday and Friday. If you're located beyond that distance the role is fully remote. For location-specific details please connect with our recruiting team. Oversee Vercel’s open-source security efforts. This includes monitoring and coordinating fixes for vulnerabilities in third-party open-source packages we use (as a consumer) and ensuring the security of the open-source projects we maintain and publish (as a contributor publisher e.g. Next.js). You will work with maintainers and the community on responsible disclosure and patching of security issues in open-source code. Evaluate select and integrate security tools into our Software Development Life Cycle. You will drive the implementation of automated security checks – for example using GitHub Advanced Security (GHAS) and other static analysis dependency scanning and secret detection tools – directly in our CI CD pipelines and GitHub workflows. By embedding security tooling into developer workflows you will help catch issues early and reduce manual effort. of experience in an Product Security or Product Security role (or related field) with a track record of securing web products and services. You’re well-versed in the fundamentals of product security and have hands-on experience finding and fixing vulnerabilities. Strong familiarity with JavaScript TypeScript and Node.js runtime security. Experience with modern web frameworks (ideally Next.js or React and Node-based frameworks) and understanding of their security considerations. You can read and review code in these technologies to spot security flaws. Demonstrated ability to perform threat modeling and architectural risk analysis for complex product. You understand how to integrate security into a fast-paced SDLC without slowing it down. Experience implementing or working with secure development lifecycle practices (secure design code review pentesting etc.) is required. Hands-on experience with product security tooling such as static product security testing (SAST) dynamic testing (DAST) dependency vulnerability scanners and CI CD pipeline security integration. Familiarity with GitHub Advanced Security or similar tools for code scanning and secret detection is a strong plus. Knowledge of open-source security best practices. You have experience dealing with open-source dependencies and package management security (e.g. handling vulnerability advisories using tools like Dependabot or Snyk). Bonus if you have contributed to or maintained open-source projects especially security-related ones. Exposure to running or participating in a bug bounty program or vulnerability disclosure process. You know how to assess externally reported issues reproduce and validate vulnerabilities and coordinate fixes. You stay up-to-date on the latest vulnerabilities (OWASP Top 10 emerging threats) and methods to mitigate them. Solid understanding of cloud architecture and serverless environments from a security perspective. You are familiar with securing products on cloud platforms (e.g. securing serverless functions protecting APIs managing secrets and keys). Experience with related cloud security concepts or tools is a plus. Proven ability to drive security initiatives and influence engineering teams to adopt best practices. You can work cross-functionally to achieve security goals – for example rolling out a new security tool or standard across many engineers. (While we emphasize technical skills this senior role requires you to effectively communicate and lead within the organization to get things done.)Have prior software development experience beyond security (e.g. as a frontend or backend engineer). Being able to empathize with developers and write or contribute code will help you integrate security seamlessly into development.Hold relevant security certifications or recognitions (for example OSCP OSWE CISSP or notable bug bounty hall of fame entries). These demonstrate your depth of knowledge though they are not required.Experience with security policy-as-code or infrastructure as code security (for instance using tools like Open Policy Agent Terraform security checks etc.). This shows you can bring security into the automation and infrastructure realm.Have built or implemented security features in a product (such as authentication systems encryption secure CI CD pipelines) or contributed to security community projects tools.Are an active participant in the security community (e.g. contributing to open source security projects writing blog posts or research attending or speaking at security conferences). A passion for continuous learning and sharing knowledge is always a plus on our team. ... Click to read more.