Senior Product Security Engineer jobs in United States
cer-icon
Apply on Employer Site
company-logo

Vercel · 7 hours ago

Senior Product Security Engineer

positionUnited States
timeFull-time
remoteOnsite
senioritySenior Level
money$196K/yr - $294K/yr
date5+ years exp

Vercel is a company that provides developers with tools and cloud infrastructure to build and secure a faster web. They are seeking a Senior Product Security Engineer to drive critical product security initiatives, focusing on threat modeling, secure code review, and managing their bug bounty program.

Artificial Intelligence (AI)Cloud InfrastructureDeveloper PlatformSoftwareWeb Development
check
Growth Opportunities
check
H1B Sponsor Likelynote

Responsibilities

Threat Modeling & Design Review: Partner with engineering and product teams to perform threat modeling for new and existing features. Identify potential risks early in the design phase and recommend security controls or design changes to mitigate threats. You will ensure security concerns are addressed from the inception of features through deployment
Secure Code Review: Conduct secure code reviews and security assessments on products and services built with Next.js, Node.js, and our serverless backend. You’ll uncover code-level vulnerabilities, provide actionable remediation guidance to developers, and establish best practices for secure coding across the engineering team
Open Source Security Management: Oversee Vercel’s open-source security efforts. This includes monitoring and coordinating fixes for vulnerabilities in third-party open-source packages we use (as a consumer) and ensuring the security of the open-source projects we maintain and publish (as a contributor/publisher, e.g. Next.js). You will work with maintainers and the community on responsible disclosure and patching of security issues in open-source code
SDLC Tooling & Automation: Evaluate, select, and integrate security tools into our Software Development Life Cycle. You will drive the implementation of automated security checks – for example, using GitHub Advanced Security (GHAS) and other static analysis, dependency scanning, and secret detection tools – directly in our CI/CD pipelines and GitHub workflows. By embedding security tooling into developer workflows, you will help catch issues early and reduce manual effort
Bug Bounty Program Management: Own and expand Vercel’s bug bounty program. You will triage and validate incoming vulnerability reports from the security researcher community, ensure critical issues are promptly addressed, and coordinate cross-team efforts to remediate and learn from reported vulnerabilities. You’ll also work on making our bug bounty a world-class, researcher-friendly program, including refining policies, scope, and engagement to encourage high-quality submissions
Cross-Organizational Security Initiatives: Lead and contribute to security projects that span multiple teams and disciplines. For example, you might drive a company-wide upgrade to a more secure framework, implement a new authentication/authorization mechanism in collaboration with product teams, or roll out a security awareness program for engineers. You will act as a security champion across the org, aligning stakeholders from Engineering, DevOps, Product, and other groups to implement lasting security improvements
Customer-Facing Security Support: Work closely with customer success and product marketing on security-related initiatives that impact our users. This may involve contributing to security documentation and whitepapers, assisting with customer security questionnaires or audits by providing product security expertise, and communicating our security features and best practices to build customer trust in the platform

Qualification

Threat ModelingSecure Code ReviewSDLC ToolingOpen Source SecurityBug Bounty ManagementJavaScript/TypeScriptNode.js SecuritySecurity ToolsCloud SecurityTechnical LeadershipCommunication SkillsTeam Collaboration

Required

5+ years of experience in a Product Security or Product Security role (or related field), with a track record of securing web products and services
Strong familiarity with JavaScript/TypeScript and Node.js runtime security
Demonstrated ability to perform threat modeling and architectural risk analysis for complex product
Experience implementing or working with secure development lifecycle practices (secure design, code review, pentesting, etc.) is required
Hands-on experience with product security tooling such as static product security testing (SAST), dynamic testing (DAST), dependency vulnerability scanners, and CI/CD pipeline security integration
Knowledge of open-source security best practices
Exposure to running or participating in a bug bounty program or vulnerability disclosure process
Solid understanding of cloud architecture and serverless environments from a security perspective
Proven ability to drive security initiatives and influence engineering teams to adopt best practices

Preferred

Experience with GitHub Advanced Security or similar tools for code scanning and secret detection
Experience dealing with open-source dependencies and package management security (e.g., handling vulnerability advisories, using tools like Dependabot or Snyk)
Experience with related cloud security concepts or tools
Prior software development experience beyond security (e.g. as a frontend or backend engineer)
Hold relevant security certifications or recognitions (for example, OSCP, OSWE, CISSP, or notable bug bounty hall of fame entries)
Experience with security policy-as-code or infrastructure as code security (for instance, using tools like Open Policy Agent, Terraform security checks, etc.)
Have built or implemented security features in a product (such as authentication systems, encryption, secure CI/CD pipelines) or contributed to security community projects/tools
Are an active participant in the security community (e.g., contributing to open source security projects, writing blog posts or research, attending or speaking at security conferences)

Benefits

Competitive compensation package, including equity.
Inclusive Healthcare Package.
Learn and Grow - we provide mentorship and send you to events that help you build your network and skills.
Flexible Time Off.
We will provide you the gear you need to do your role, and a WFH budget for you to outfit your space as needed.

Company

Vercel

twittertwittertwitter
company-logo
Vercel is a developer platform that provides cloud infrastructure services for the web.
dateFounded in 2015
location
Covina, California, USA
people-size501-1000 employees
web-link
https://vercel.com

H1B Sponsorship

Vercel has a track record of offering H1B sponsorships. Please note that this does not guarantee sponsorship for this specific role. Below presents additional info for your reference. (Data Powered by US Department of Labor)
Distribution of Different Job Fields Receiving Sponsorship
Represents job field similar to this job
Trends of Total Sponsorships
2025 (4)
2024 (2)
2023 (5)
2022 (5)

Funding

Current Stage
Late Stage
Total Funding
$863M
Key Investors
AccelBedrockGoogle Ventures
2025-09-30Series F· $300M
2024-05-16Series E· $250M
2021-11-23Series D· $150M

Leadership Team

leader-logo
Guillermo Rauch
CEO
linkedin
leader-logo
Malte Ubl
CTO
linkedin

Recent News

Business Wire
Snowflake Unveils Cortex Code, An AI Coding Agent That Drastically Increases Productivity by Understanding Your Enterprise Data Context
2026-02-03
Venturebeat
Vercel rebuilt v0 to tackle the 90% problem: Connecting AI-generated code to existing production infrastructure, not prototypes
2026-02-03
The New Stack
Vercel’s json-render: A step toward generative UI
2026-01-24
Company data provided by crunchbase