Security Engineer - Bug Bounty

About the role

We are looking for a Security Engineer focused on Bug Bounty who treats researcher reports as security data, not support tickets. This is not a coordination role - you will be hands-on validating vulnerabilities, reproducing exploits, and working directly with engineering teams to drive fixes. You will own the full lifecycle of the program: scope design, triage, researcher relations, remediation tracking, and the upstream feedback that turns external findings into internal controls. The other half of this role is developer partnership. Findings that sit in a backlog do not improve security. You will reduce the friction that keeps confirmed vulnerabilities from being fixed - translating researcher reports into clear remediation guidance, removing ambiguity that slows engineers down, and identifying the process or tooling gaps that let the same vulnerability class appear repeatedly. A deep understanding of how vulnerabilities actually work - not just how to classify them - is fundamental to success here.

Responsibilities

• Own day-to-day operations of the bug bounty program on the managed platform, including report triage, severity assessment, researcher communication, and payout decisions - maintaining SLA compliance across all inbound volume
• Reproduce and technically validate submitted vulnerabilities across web, API, mobile, and trading infrastructure attack surfaces - reason independently about exploitability in context, not just what the report claims
• Classify findings using CVSS, OWASP, and business impact criteria; distinguish genuine risk from theoretical severity; escalate critical issues into incident response workflows with enough context for engineering leadership to act immediately
• Act as a remediation partner , not just a reporter - work directly with developers to clarify findings, provide exploit context, reproduce issues where needed, and give fix guidance grounded in how the vulnerability actually works; track what slows remediation and fix it
• Identify recurring vulnerability classes across inbound reports and feed patterns back into AppSec initiatives - SAST rule tuning, developer training, design review checklists - closing the loop from external discovery to internal prevention
• Maintain program scope , out-of-scope guidance, and rules of engagement; adjust based on surface area changes, new products, and program maturity signals
• Coordinate with legal, compliance, and communications on responsible disclosure edge cases, researcher disputes, and public disclosure timelines
• Produce monthly and quarterly program metrics for security leadership - coverage, triage velocity, remediation cycle times, finding trends - with enough analytical depth to drive program decisions
• Evaluate attack surface expansions - new APIs, products, acquisitions - for readiness to enter program scope

Requirements

• 2-5 years in application security, penetration testing, bug bounty operations, or a security engineering role with hands-on validation focus
• Strong foundational knowledge of how web application vulnerabilities work at a technical level - SSRF, IDOR, auth bypass, injection classes, business logic flaws, API authorization failures, OAuth misconfigurations - not just awareness of their names
• Ability to read a researcher report and independently reason about exploitability in the specific context of the application - understand trust boundaries, data flow, and what an attacker would actually need to trigger the finding
• Experience operating a bug bounty or vulnerability disclosure program on a managed platform - Bugcrowd, HackerOne, or equivalent - with ownership of triage decisions and researcher communication
• Strong written communication under pressure - you will be writing triage decisions to elite researchers and remediation guidance to developers simultaneously; both audiences require clarity and credibility
• Familiarity with REST and GraphQL API security , OAuth 2.0 flows, session management, and web application architecture at the level needed to validate findings without relying on the researcher's reproduction steps alone
• Ability to work cross-functionally with engineering teams - translate security findings into actionable, developer-friendly guidance that engineers will actually implement rather than defer
• Active bug bounty participation as a researcher - candidates who have filed reports themselves understand what makes a finding credible, what frustrates researchers about triage decisions, and how to run a program that retains high-signal contributors
• Development background - candidates who have written producti

Additional Information

Security Engineer - Bug Bounty

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at Interactive Brokers External? Share your experience