Security Researcher

About Semgrep

Our mission is to make world-class software security available to everyone. This means building program analysis tools that are open source, easy to use, powerful, and fast. It also means building a team with security expertise and a passion for great developer experiences. Most of all, it means working with honesty and respect in a diverse community of dreamers and builders. We’ve redefined static analysis tooling by committing to all of these, and turned our project, Semgrep, into an essential safeguard for code at Snowflake, Dropbox, and more.

About the Team

The Semgrep Supply Chain Security Research Team’s mission is to help our customers secure their code by building the world’s most sophisticated and comprehensive supply chain tool and ruleset. We are responsible for helping our users identify vulnerabilities and building tooling to enable our operational work.

We want to protect customers from emerging threats. We are a highly curious and driven group that helps each other grow and learn.

We collaborative cross functionally. For example, we partner with multiple Product teams, including both Supply Chain and Secrets, to support rule writing or build and improve tooling.

Our core disciplines are security engineering, rule writing, and security research.

About the role

As a Security Researcher at Semgrep, you will research open source vulnerabilities and write Semgrep rules to help secure our customers against the latest threats. Initially, this may be more tactically focused, with many opportunities to grow, build, and expand your Security Researcher experience and career across disciplines. You’ll work on building and improving tooling to help scale our team of Security Researchers.

You will be working closely with full stack developers, Security Researchers, program analysis experts, and infrastructure engineers. You will learn from senior Security Researchers who bring experience and wisdom from years of running AppSec programs, working as security consultants, and discovering new CVEs. There will be opportunities to work with our customers’ security teams at companies ranging from early-stage startups to social-media giants, to learn about their security philosophies.

You’ll attend lunch and learns across the company - learning about everything from advanced type systems to product paradigms - and have opportunities to present your own work. As a Security Researcher, there will be opportunities to speak directly to customers who are using the rules you write. Getting broad exposure and seeing how your work impacts our customers end to end is part of what makes working at an early-stage startup unique.

Location expectations:

• Our expectation is that this role will be based in our San Francisco / New York / Boston office 2 to 3 days per week.

You will:

• Research new and previously observed vulnerabilities to understand what makes them dangerous
• Write Semgrep rules and execute daily operational tasks, such as PR reviews
• Improve and develop new automation to support the team with writing high quality rules
• Build maintainable and extensible tooling and identify opportunities to build new tools
• Leverage data to guide decision making and to improve the performance and quality of our rules
• Collaborate with teams through code reviews, new language support, design discussions, and demos

You are ideal for this role if you:

• Are able to read and write code, scripting is okay
• Have an understanding of CVEs, vulnerabilities, and supply chain security basics
• Have a passion for learning more about securing code
• Are motivated to build a career in application security or security research

Compensation

Salary Range: $ 119,595-$140,700

Our compensation package includes equity and benefits in addition to salary.

Please note that the range listed is for someone based in the San Francisco Bay Area.

What we offer

Our goal is to competitively and fairly compensate every Semgrep employee with a system that equally rewards those who are vocal and those who are less comfortable making demands during the final steps of the hiring process. To that end, we generate internal compensation bands that are used when discussing and negotiating salaries. We update these based on market data to make sure they’re above the average for comparable roles.

We also invest in our employees’ well-being and long term success with comprehensive health plans, generous vacation time, 401k, learning stipends, and more. Our benefits are for everyone, so that you’re taken care of, and we work with individuals to make sure they have what they need, whether that’s quiet work space, adjusted hours, or something else.

Who we are

We have people from France and the Philippines, physics and philosophy, formal methods research and full fledged corporations. We’re new parents and new grads, aspiring authors and aspiring Americans, dog lovers and dogfooders. We get together often to bike, bake, and meet up in parks. In our interactions, we believe respect and honesty go hand in hand, and prioritize both.

Semgrep is an equal-opportunity employer seeking a diverse range of backgrounds. We value who you are — including your cultural heritage, your socioeconomic status, your age, your race, your gender, your sexual orientation, your disabilities. We value what’s vitally important to you — your family, your religion, your politics. We value what you love in this world — your music, your weekend pursuits. We believe in welcoming varied professional backgrounds, educations, and interests. If you’re exceptional in your role, believe in Semgrep’s mission, and treat Semgrep’s values as your own, you belong here.