Replit is the agentic software creation platform that enables anyone to build applications using natural language. With millions of users worldwide, Replit is democratizing software development by removing traditional barriers to application creation.
About the RoleWe are looking for a highly skilled PSIRT Engineer to lead the vulnerability response program for Replit’s cloud-native AI platform. You will own the lifecycle of security vulnerabilities affecting our products and services—from intake to validation, remediation coordination, and public disclosure.
This role requires strong technical ability to reproduce vulnerabilities, deep understanding of web/app/cloud exploit classes, and experience operating bug bounty and coordinated disclosure programs. You will work closely with Engineering, Cloud Security, SecOps, SRE, and IT teams to ensure vulnerabilities are fixed quickly and communicated responsibly.
What You’ll DoVulnerability Intake, Triage & ValidationManage intake from bug bounty platforms (HackerOne preferred), customer reports, automated scanners, pentest reports, and coordinated disclosure channels.
Independently validate, reproduce, severity-score, and document findings.
Identify duplicates and maintain a clean vulnerability records pipeline.
Assess relevance and exploitability using OWASP, cloud misconfiguration patterns, and identity/authentication/authorization risks (Oauth, OIDC).
Work with Engineering, SecOps, IT, SRE, and Cloud Security to confirm product impact and drive remediation.
Provide detailed reproduction steps, proof-of-concepts, and technical analyses.
Track SLAs, remediation progress, regression testing, and systemic improvements.
Support SOC 2, ISO 27001, and pentest evidence needs as part of vulnerability lifecycle governance.
Design and evolve the bug bounty program, including scope, rules, and reward structures.
Manage platform selection, private vs. public launches, and community engagement.
Communicate clearly with researchers, provide clarifications, and handle feedback or disputes.
Determine reward payouts, bonus decisions, and recognition for top contributors.
Lead the coordinated vulnerability disclosure process for internal and external findings.
Negotiate disclosure timelines with researchers and partners.
Coordinate CVE assignments and publications, and prepare customer/public advisories.
Experience running or triaging for bug bounty programs (HackerOne ideally).
Strong ability to triage, validate, and reproduce vulnerabilities independently.
Deep understanding of web/app/cloud vulnerability classes, OWASP Top 10, misconfigurations, authN/Z issues, etc.
Familiarity with cloud platforms (GCP preferred) and SaaS architectures.
Strong understanding of CI/CD workflows, code structure, and software engineering fundamentals.
Scripting or automation experience (Python, Go, Bash).
Pentesting background or exposure to offensive security work.
Familiarity with compliance frameworks such as SOC 2 and ISO 27001.
Experience authoring public advisories or CVE writeups.
Hands-on experience with SIEM, Cloud Logging, and investigative tooling.
This is a full-time role that can be held from our Foster City, CA office. The role has an in-office requirement of Monday, Wednesday, and Friday.
Full-Time Employee Benefits Include:
💰 Competitive Salary & Equity
💹 401(k) Program with a 4% match (US Only)
⚕️ Health, Dental, Vision and Life Insurance
🩼 Short Term and Long Term Disability
🚼 Paid Parental, Medical, Caregiver Leave
🏝 Flexible Time Off (FTO) + Holidays
🚗 Commuter Benefits (In-Office Only)
📱 Monthly Wellness Stipend
🧑💻 Autonomous Work Environment
🖥 In Office Set-Up Reimbursement (In-Office Only)
🚀 Quarterly Team Gatherings
☕ In Office Amenities (In-Office Only)
Want to learn more about what we are up to?
Meet the Replit Agent
Replit: Make an app for that
Replit Blog
Amjad TED Talk
Interviewing + Culture at Replit
Operating Principles
Reasons not to work at Replit
To achieve our mission of making programming more accessible around the world, we need our team to be representative of the world. We welcome your unique perspective and experiences in shaping this product. We encourage people from all kinds of backgrounds to apply, including and especially candidates from underrepresented and non-traditional backgrounds.
Skills Required
- Experience running or triaging bug bounty programs
- Ability to triage, validate, and reproduce vulnerabilities independently
- Understanding of web/app/cloud vulnerability classes, OWASP Top 10, misconfigurations
- Familiarity with cloud platforms, preferably GCP
- Understanding of CI/CD workflows and software engineering fundamentals
Replit Compensation & Benefits Highlights
The following summarizes recurring compensation and benefits themes identified from responses generated by popular LLMs to common candidate questions about Replit and has not been reviewed or approved by Replit.
-
Parental & Family Support — Parental leave spans up to 24 weeks for birth parents with additional paid medical, bonding, and family‑care leave. These policies are characterized as generous compared to common U.S. tech norms.
-
Healthcare Strength — Medical, dental, and vision coverage are paired with an employer‑funded HSA plus life and disability insurance. Options like FSA/DFSA and mental‑health support further reinforce the health offering.
-
Wellbeing & Lifestyle Benefits — Monthly wellness stipends, learning and development funds, and recognition programs add ongoing value beyond cash compensation. Office meals, commuter benefits, and onsite amenities enhance day‑to‑day experience for those near the HQ.
Replit Insights
What We Do
Replit is the agentic software creation platform that enables anyone to build applications using natural language. With millions of users worldwide and over 500,000 business users, Replit is democratizing software development by removing traditional barriers to application creation.
