About the position
We’re looking for a Senior Product Security Operator to lead our bug bounty and vulnerability management programs. As a member of the Product Security team, you will report to the Senior Manager of Product Security. You will be a primary driver of our vulnerability management program, leveraging your expertise to assess contextual impact from both your experience and offensive engagements and other internal and external sources. You will act as a primary point of contact with security researchers in our bug bounty program. Security at DO means solving incredibly complex problems at a high-scale that have real impact for our customers, our products, and for the larger internet community. We want people who are passionate about making the internet a safer place for everyone. You will also have opportunities to conduct internal ethical hacking activities collaboratively alongside engineering teams to uncover vulnerabilities and weaknesses in the enterprise and consumer product environments. We believe that finding an issue is only the beginning of our work; we value cross-team coalitions and collaboration with the business to find reasonable remediations and view this post-engagement collaboration, regardless of whether the issue is an internal pentest finding or a bug bounty submission, as crucial to success. Your work will make our million+ customers more secure and will help ensure that DigitalOcean is a respected contributor to the broader security community.
Responsibilities
- Lead our bug bounty and vulnerability management programs (85%)
- Act as the primary point of contact to security researchers engaged in our bug bounty program
- Assess and triage new vulnerabilities to the vulnerability management program to determine contextual impact to the business
- Educate security and engineering teams on topical vulnerability patterns, in coordination with teams such as fraud & abuse and threat intelligence
- Occasionally perform penetration testing engagements and find vulnerabilities in software, systems, and networks (10%)
- Collaborate with security and engineering teams during key product launches to set scope, objective, and execution for penetration testing engagements, and keep stakeholders informed.
- Develop tools, methodologies, and infrastructure to support penetration testing engagements
- Provide holistic assessments of security layers across infrastructure, application, people, and process
- Cultivate and promote a security culture (5%)
- Champion an internal security culture (developer training, internal CTFs, etc.)
- Help DigitalOcean engineers understand how security events impact them.
Requirements
- 3+ years experience operating a paid enterprise bug bounty program
- Expert understanding of software security architecture and design, threat modeling, and mitigations for common application security issues (e.g. OWASP Top Ten mitigations)
- A record of partnering with internal engineering teams to tackle security problems across an entire stack with empathy and creativity.
Nice-to-haves
- Experience as a bug bounty researcher submitting reports to bug bounty programs.
- Contributions to the security community, such as open source tools, research papers, or conference talks.
- Familiarity with a variety of vulnerability and risk assessment frameworks, such as CWSS, FAIR, and SSVC
- Highlight if you have any GIAC, eLearning, or similar certifications relevant to web, network, and systems penetration testing (OSCP, eCPPT, GPEN, CPTS, BSCP, etc.)
Benefits
- Competitive salary range of $133,700 - $167,100 based on market data, relevant years of experience, and skills.
- Bonus eligibility based on company and individual performance.
- Equity compensation including equity grants upon hire and participation in Employee Stock Purchase Program.
- Reimbursement for relevant conferences, training, and education.
- Access to LinkedIn Learning's 10,000+ courses for continued growth and development.
- Flexible time off policy.
- Employee Assistance Program.
- Local Employee Meetups.
