Product Security Engineer

## About the Role As a Product Security Engineer at Vercel, you will be at the forefront of driving critical product security initiatives across Vercel's products and platform. Your core focus will be on ensuring that security is embedded throughout the development lifecycle, from the inception of features through deployment. You will work closely with internal product engineering teams and customer-facing security programs to identify potential risks early in the design phase and recommend security controls or design changes to mitigate threats.

The role of a Product Security Engineer is pivotal in earning the trust of developers and end-users alike. You will lead cross-organizational security projects and champion a security-first culture within Vercel's engineering organization. This is a high-impact role with broad scope, influencing not only Vercel's core infrastructure and products but also the security of the open-source ecosystems the company contributes to.

Vercel is the agentic infrastructure company that has shaped how the web is built for over a decade. With products like Next.js, v0, and AI SDK, Vercel helps builders move from idea to production with speed, security, and exceptional developer experience. The company is now building the platform for the future, trusted by companies like OpenAI, PayPal, Ramp, Supreme, and millions of developers worldwide.

## What You Will Do - Partner with engineering and product teams to perform threat modeling for new and existing features, identifying potential risks early in the design phase.

• Conduct secure code reviews and security assessments on products and services built with Next.js, Node.js, and the serverless backend.
• Oversee Vercel's open-source security efforts, including monitoring and coordinating fixes for vulnerabilities in third-party open-source packages.
• Evaluate, select, and integrate security tools into the Software Development Life Cycle (SDLC), driving the implementation of automated security checks.
• Manage bug bounty programs, ensuring timely and effective response to security issues reported by the community.
• Support both internal product engineering teams and customer-facing security programs, ensuring that security is a core part of the development lifecycle.
• Lead cross-organizational security projects, influencing the security of Vercel's core infrastructure and products.
• Champion a security-first culture within Vercel's engineering organization, promoting best practices for secure coding and design.
• Work with maintainers and the community on responsible disclosure and patching of security issues in open-source code.
• Collaborate with the development team to establish secure coding standards and ensure compliance with security policies.

• Strong background in threat modeling, secure code review, and SDLC tooling.
• Experience with security tools such as GitHub Advanced Security (GHAS), static analysis, dependency scanning, and secret detection.
• Knowledge of secure coding practices, including OWASP guidelines and relevant security frameworks.
• Experience with cloud platforms (AWS, Azure, GCP) and containerization (Docker, Kubernetes).
• Strong understanding of network protocols, operating system security, and web application security.
• Excellent communication and collaboration skills, with the ability to work with both technical and non-technical teams.
• Experience with bug bounty programs and responsible vulnerability disclosure.

• Contributions to open-source projects, particularly in the area of security.
• Certification in security engineering or a related field (e.g., CISSP, CEH).
• Experience with automation tools (e.g., Python, Bash) for security tasks.
• Knowledge of AI and machine learning security considerations.

• Flexible, remote work environment with occasional in-office anchor days.
• Comprehensive health, dental, and vision insurance.
• Generous PTO and holiday policy.
• Professional development opportunities, including conference attendance and training.
• Access to the latest tools and technologies.
• Collaborative, dynamic work environment with a team of experienced professionals.
• Opportunities for growth and advancement within the company.

- Ensure your resume highlights specific examples of threat modeling, secure code review, and SDLC tooling experience.

• Prepare to discuss your approach to security engineering, including how you stay updated with the latest security threats and technologies.
• Showcase any contributions to open-source security projects or certifications in security engineering.
• Be ready to provide examples of how you have championed a security-first culture in previous roles.
• When negotiating salary, consider factors such as the cost of living in your area, industry standards, and the company's overall compensation package.
• Pay attention to the company culture and team dynamics during the interview process, as these can significantly impact your job satisfaction and success.