Senior or Staff Vulnerability Research Engineer
Remote
GitLab
From planning to production, bring teams together in one application. Ship secure code more efficiently to deliver value faster.This Senior or Staff Vulnerability Research Engineer position is 100% remote.
It’s an exciting time to join our team. We're the world’s largest all-remote company, and we've been intentionally building our culture this way from the start. With more than 1,200 team members in 65+ countries, GitLab is a place where you can contribute from almost anywhere. We are an ambitious, productive team that embraces a set of shared values in everything we do.
You'll be at the forefront of our R&D efforts in our Engineering department in this role. You’ll be expected to focus on improving GitLab’s security detection capabilities in our Secure and Protect stage groups. This includes SAST, DAST and future products.
The Vulnerability Research team works closely with GitLab Security, Development, and Product teams to build, tune and improve the efficacy of the security products that are integrated into GitLab.
Vulnerability Research Engineers perform research to analyze software vulnerabilities, exploitation methods, track new vectors, discover novel methods and approaches in software security, apply this knowledge to the security products and GitLab itself. To get a better sense of what the team does daily, you can browse some of the past information sharing sessions.
The culture here at GitLab is something we’re incredibly proud of. Some of the benefits you’ll be entitled to vary by the region or country you’re in. However, all GitLab team members are fully remote and receive a no ask, must tell paid-time-off policy, where we don’t count the number of days you take off annually -- instead, we focus on your results. You can work the hours you choose, enabled by our asynchronous approach to communication. You can also expect stock options and a competitive salary. Our compensation calculator will be shared with selected candidates before any interview.
Diversity, Inclusion, and Belonging (DIB) are fundamental to the success of GitLab. We want to infuse DIB in every way possible and in all that we do. We strive to create a transparent environment where all team members around the world feel that their voices are heard and welcomed. We also aim to be a place where people can show up as their full selves each day and contribute their best. With more than 100,000 organizations using GitLab, our goal is to have a team that is representative of our users.
What you'll do in this role:
- Dedicate all bandwidth to dogfooding and contributing directly to the Secure and Protect products.
- Carry out research and come up with proofs of concept that affect the security products and GitLab.
- Curate (dependency scanning) advisory databases. This is a semi-automatic task that includes auditing/reviewing, editing existing and adding new advisories to the database while, at the same time, trying to automate repetitive tasks away as much as possible.
- Build/develop benchmarks to test the efficacy of scanning and detection products.
- Measure and Improve the efficacy of scanning and detection products over time.
- Conduct code review of Ruby and Go backend code.
- Build/develop/improve our solutions in the area of static and dynamic analysis.
- Write detailed technical reports.
- Assess security product output results and conduct root cause analysis to improve efficacy.
- Respond to internal and external customer inquiries on vulnerabilities and related topics.
You should apply if you bring:
- 2+ years of direct experience in developing and improving vulnerability detection products in the context of web security.
- Knowledge of the vulnerability management process.
- Knowledge of software composition analysis (SCA) and software supply chain ecosystems.
- Knowledge about compilers, compiler design and construction.
- Experience with source code analysis, static application security testing (SAST), and dynamic application security testing (DAST).
- Experience developing automated web security testing/analysis tools.
- Knowledge about benchmarking for testing the efficacy of scanning and detection products.
- Experience completing code reviews of Ruby and Go backend code.
- Experience in product development.
- You have a passion for security and open source.
- You are a team player, and enjoy collaborating with cross-functional teams.
- You are a great communicator (written and verbal).
- You employ a flexible and constructive approach when solving problems.
- You are curious and like to explore & experiment.
- Our values of collaboration, results, efficiency, diversity, iteration, and transparency resonate with you.
You’ll stand out if you bring:
- Experience with abstract interpretation, program analysis methods.
- Experience with binary analysis, reverse-engineering.
- Experience with exploit development.
- Scientific data analysis skills.
- Bug-hunting experience.
- 0day discoveries, CVEs.
Also, we know it’s tough, but please try to avoid the confidence gap. You don’t have to match all the listed requirements exactly to be considered for this role.
Our hiring process for this Senior or Staff-level Vulnerability Research Engineer position typically follows four stages. The details of this process and our leveling structure can be found on our job family page.
Remote-North America Remote-APAC Remote-US Remote-global Remote-emeaCountry Hiring Guidelines
Please visit our Country Hiring Guidelines page to see where we can hire.
Your Privacy
For information about our privacy practices in the recruitment process, please visit our Recruitment Privacy Policy page.
Tags: Application security Audits Code analysis Compilers DAST Exploit Open Source Privacy R&D Ruby SAST Vulnerabilities Vulnerability management
Perks/benefits: Competitive pay Equity Flex hours Flex vacation Startup environment Transparency
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Ethical hacker / Pentester H/F jobs
- Open Information Security Specialist jobs
- Open Manager Pentest H/F jobs
- Open Senior Cyber Security Engineer jobs
- Open Cyber Security Architect jobs
- Open Cyber Security Specialist jobs
- Open Product Security Engineer jobs
- Open Principal Security Engineer jobs
- Open Staff Security Engineer jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Senior Information Security Analyst jobs
- Open Cybersecurity Analyst jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Chief Information Security Officer jobs
- Open IT Security Analyst jobs
- Open Consultant SOC / CERT H/F jobs
- Open Cybersecurity Consultant jobs
- Open Security Specialist jobs
- Open Senior Information Security Engineer jobs
- Open Cybersecurity Specialist jobs
- Open Senior Penetration Tester jobs
- Open Senior Security Architect jobs
- Open Security Researcher jobs
- Open Sr. Security Engineer jobs
- Open IT Security Engineer jobs
- Open Clearance-related jobs
- Open ISO 27001-related jobs
- Open Windows-related jobs
- Open Application security-related jobs
- Open Network security-related jobs
- Open Agile-related jobs
- Open Pentesting-related jobs
- Open Vulnerability management-related jobs
- Open GCP-related jobs
- Open Analytics-related jobs
- Open SaaS-related jobs
- Open CISA-related jobs
- Open IAM-related jobs
- Open Threat intelligence-related jobs
- Open APIs-related jobs
- Open Security assessment-related jobs
- Open Java-related jobs
- Open IDS-related jobs
- Open DevOps-related jobs
- Open Security Clearance-related jobs
- Open Malware-related jobs
- Open EDR-related jobs
- Open Kubernetes-related jobs
- Open CEH-related jobs
- Open IPS-related jobs