Product Security Engineer

Posted 21 Days Ago
Easy Apply
Hiring Remotely in United States
Remote or Hybrid
208K-312K Annually
Senior level
Artificial Intelligence • Cloud • Software
Vercel is the platform where humans and AI agents build, ship, and scale software together.
The Role
Lead product security work across Vercel: threat modeling, secure code reviews, open-source and supply-chain security, SDLC tooling and automation, bug bounty triage, cross-team security projects, and customer-facing security support to embed security across development and platform operations.
Summary Generated by Built In
About Vercel:

Vercel is the agentic infrastructure company. We free people and agents to ship what’s next.

For more than a decade, Vercel has shaped how the web is built. As the team behind Next.js, v0, and AI SDK, we create products that help builders move from idea to production with speed, security, and exceptional developer experience.

Now, software is entering a new era, and the next generation of products will not just be used by people. They will be built, extended, and operated by agents.

We are building the platform for that future, trusted by companies like OpenAI, PayPal, Ramp, Supreme, and millions of developers worldwide. Whether you’re building our products, supporting our customers, growing our community, or shaping our story, you’ll help define what comes next.

About the Role:

Traditional product security teams work one report at a time: a person triages a bug bounty submission, validates it, reproduces it, and hands it off for a fix. That doesn't scale past a certain volume, and Vercel is well past it. Adding more triagers doesn't close that gap. Building the systems that triage at that scale does.

This role is about building that system. Your core focus is tooling that triages and validates bug bounty and other externally reported security findings at scale, reasoning about validity, severity, and reproducibility the way a human triager would, but continuously and at volume. And we want to go beyond triage. The real leverage is in connecting a validated finding to its root cause and driving the fix, ideally with the remediation itself proposed or opened automatically for well-understood vulnerability classes.

More broadly, this is a mandate to rethink traditional security tooling for how Vercel actually operates: agent-scale testing and automation in place of processes built for a much smaller company. This role also has real scope to build tooling that gives our customers their own security testing capabilities for what they build on Vercel, not just harden Vercel's own surface.

Because of this, we're optimizing for someone who wants to build systems, not someone whose background is manual penetration testing. A software engineer with a strong desire to move into security, or a security engineer with a strong engineering background, is exactly who we're looking for.

If you're based within a pre-determined commuting distance of one of our offices (SF, NY, London, or Berlin), the role includes in-office anchor days on Monday, Tuesday, and Friday. If you're located beyond that distance, the role is fully remote. For location-specific details, please connect with our recruiting team.

What You Will Do:
  • Build tooling to triage and validate bug bounty and external findings at scale: Design and operate the systems that take in externally reported vulnerabilities and automatically assess validity, severity, and reproducibility, at a volume no manual triage process could match.
  • Push triage beyond pattern matching, into agentic analysis: Build and operate LLM/agent-based reasoning that can validate business logic, auth, and design-level findings, not just match against known signatures.
  • Go from validated finding to root cause: Trace validated findings back to the underlying pattern or class, so the team fixes the reason it happened, not just the one report that came in.
  • Build toward automated remediation, not just automated triage: Design systems that can propose, and increasingly open, the fix itself for well-understood vulnerability classes, with the right human review gates in place.
  • Rethink traditional security tooling for scale: Question which parts of the traditional product security toolkit (manual threat modeling, ad hoc code review, point-in-time pentests) still make sense at Vercel's scale, and build the agent-driven tooling that replaces or augments them.
  • Own and evolve the bug bounty program: Manage the researcher-facing side (scope, policy, engagement) as well as the internal tooling, so every report gets resolved and makes the automated triage smarter for the next one.
  • Build toward customer-facing security testing capabilities: Extend the tooling and automation you build for Vercel's own products into a capability customers can use to test the security of what they build and deploy on the platform.
About You:
  • You're a builder first: Strong software engineering background is more important here than classic penetration testing experience. You'd rather build the system that triages a thousand reports than work through them one at a time. We're equally excited by a software engineer who wants to move into security and a security engineer with a strong engineering background; a manual pentesting background alone is not what this role is optimized for.
  • Understand vulnerability triage and validation, even if that's not your primary background: You know (or can quickly learn) how to assess an externally reported finding, reproduce it, and judge severity, and you understand what makes that process hard to scale.
  • Curious about, or already building with, agentic and LLM-based security tooling: You have a point of view on where AI agents can reliably validate, root-cause, and fix vulnerabilities today, and where they can't yet.
  • Root cause and systems thinking: You default to "how do I make this scale to the next ten thousand reports" and "why did this class of bug happen," rather than closing the one ticket in front of you.
  • Comfortable defining a new practice: Agent-scale product security isn't a mature discipline yet. You're excited to help define what it looks like at Vercel rather than inherit a playbook.
  • Web tech stack proficiency: Strong familiarity with JavaScript/TypeScript and Node.js runtime security, and modern web frameworks (ideally Next.js or React and Node-based frameworks), so you can read and validate the code your tooling is analyzing.
Bonus If You:
  • Have built or contributed to security automation used broadly across an engineering org, not just for your own team.
  • Have experience running or triaging a bug bounty / vulnerability disclosure program.
  • Have experience testing or securing multi-tenant platforms where customer-built applications run on shared infrastructure.
  • Have built systems that auto-generate or auto-propose code fixes, not just findings.
  • Have thought about what security testing as a product capability could look like for a platform's customers.
  • Hold relevant security certifications or recognitions (for example, OSCP, OSWE, CISSP, or notable bug bounty hall of fame entries). These demonstrate your depth of knowledge, though they are not required.
Benefits:
  • Competitive compensation package, including equity.
  • Inclusive Healthcare Package.
  • Learn and Grow - we provide mentorship and send you to events that help you build your network and skills.
  • Flexible Time Off.
  • We will provide you the gear you need to do your role, and a WFH budget for you to outfit your space as needed.

Vercel is committed to fostering and empowering an inclusive community within our organization. We do not discriminate on the basis of race, religion, color, gender expression or identity, sexual orientation, national origin, citizenship, age, marital status, veteran status, disability status, or any other characteristic protected by law. Vercel encourages everyone to apply for our available positions, even if they don't necessarily check every box on the job description.
The San Francisco, CA base pay range for this role is $208,000.00 - $312,000.00. Actual salary will be based on job-related skills, experience, and location. Compensation outside of San Francisco may be adjusted based on employee location. The total compensation package may include benefits, equity-based compensation, and eligibility for a company bonus or variable pay program depending on the role. Your recruiter can share more details during the hiring process. 

Skills Required

  • 5+ years experience in product security or related role
  • Strong familiarity with JavaScript and TypeScript
  • Hands-on experience with Node.js and modern web frameworks (Next.js/React)
  • Threat modeling and architectural risk analysis experience
  • Experience integrating security tooling into SDLC (SAST, DAST, dependency scanning) and CI/CD
  • Experience with GitHub Advanced Security or similar code scanning and secret detection tools
  • Open-source and supply-chain security experience (e.g., managing vulnerability advisories, Dependabot, Snyk)
  • Experience triaging and managing vulnerability reports or bug bounty programs
  • Understanding of cloud and serverless security concepts
  • Proven ability to lead cross-functional security initiatives and influence engineering teams
  • Prior software development experience (frontend or backend)
  • Relevant security certifications or notable bug bounty recognition (OSCP, CISSP, etc.)
  • Experience with policy-as-code or IaC security tooling (e.g., Open Policy Agent, Terraform security checks)
  • Contributed to or maintained open-source projects or security community participation

What the Team is Saying

Logan Liffick
Jay Gengelbach
Jeanne Dewitt Grosser
Logan Liffick
Jay Gengelbach
Logan Liffick
Logan Liffick
Guillermo Rauch
Guillermo Rauch
Am I A Good Fit?
beta
Get Personalized Job Insights.
Our AI-powered fit analysis compares your resume with a job listing so you know if your skills & experience align.

The Company
HQ: San Francisco, CA
Year Founded: 2015

What We Do

From solo developers building their first app to large enterprise teams if it needs to be fast, reliable, and beautifully built, it runs on Vercel. Our platform powers millions of deployments a day. We started with a simple belief: the web should be fast for everyone, everywhere. That belief became Next.js. Then a platform. Then the infrastructure layer for the AI-native web. We are backed by the amazing team at Accel and CRV, and we're headquartered in San Francisco.

Vercel Offices

Hybrid Workspace

Employees engage in a combination of remote and on-site work.

Vercel is a remote-friendly company. Some roles are in-office (SF, NYC and others), and some are fully remote. For the right candidate, flexible arrangements are available, supported by home office and wellness stipends.

Typical time on-site: Flexible
Company Office Image
HQSan Francisco, CA
Company Office Image
London, England
Company Office Image
Austin, TX
Company Office Image
Berlin, Germany
Company Office Image
New York, NY
Learn more

Similar Jobs

Vercel Logo Vercel

Visual Designer

Artificial Intelligence • Cloud • Software
Easy Apply
Remote or Hybrid
United States
208K-312K Annually

Vercel Logo Vercel

Forward-Deployed Engineer

Artificial Intelligence • Cloud • Software
Easy Apply
Remote or Hybrid
3 Locations
137K-207K Annually

Vercel Logo Vercel

Software Engineer

Artificial Intelligence • Cloud • Software
Easy Apply
Remote or Hybrid
United States
196K-294K Annually

Vercel Logo Vercel

Senior Product Designer

Artificial Intelligence • Cloud • Software
Easy Apply
Remote or Hybrid
United States
156K-234K Annually

Sign up now Access later

Create Free Account

Please log in or sign up to report this job.

Create Free Account