Product Security Engineer (PSIRT - Product Security Incident Response Team)

Replit
Foster City, US
Remote

Who this role is best for

A natural match if you have experience managing vulnerability response programs and working with cloud-native AI platforms in a remote-first environment.

Best fit for

  • Senior security engineer with bug bounty program management experience.
    — “Experience running or triaging for bug bounty programs
  • Cloud security specialist familiar with SaaS architectures and GCP.
    — “Familiarity with cloud platforms (GCP preferred) and SaaS architectures
  • Technical leader capable of reproducing complex vulnerabilities independently.
    — “Strong ability to triage, validate, and reproduce vulnerabilities independently

Things to consider

  • Requires in-office presence three days per week in Foster City.
    — “in-office requirement of Monday, Wednesday, and Friday
  • Must coordinate disclosures with external researchers and partners.
    — “Negotiate disclosure timelines with researchers and partners

How to stand out

  • Highlight specific experience with HackerOne or similar platforms.
    — “bug bounty platforms (HackerOne preferred)
  • Demonstrate knowledge of OWASP Top 10 and cloud misconfigurations.
    — “Deep understanding of web/app/cloud vulnerability classes, OWASP Top 10
  • Show examples of coordinating CVE assignments and advisories.
    — “Coordinate CVE assignments and publications
Pace · Fast PacedCollaboration · HighAutonomy · MediumDecision Impact · TeamLevel · Senior

Derived from job-description analysis by Serendipath's career intelligence engine.

What success looks like

  • Successfully managing and evolving the bug bounty program
  • Leading the coordinated vulnerability disclosure process
  • Ensuring vulnerabilities are fixed quickly and communicated responsibly
Typical background
Experience in security operations or incident responseBackground in software development or cloud security

Skills & requirements

Required

Experience Running Or Triaging For Bug Bounty ProgramsStrong Ability To Triage, Validate, And Reproduce Vulnerabilities IndependentlyDeep Understanding Of Web/app/cloud Vulnerability Classes, Owasp Top 10, Misconfigurations, Authn/z IssuesFamiliarity With Cloud Platforms (GCP Preferred) And Saas ArchitecturesStrong Understanding Of Ci/cd Workflows, Code Structure, And Software Engineering Fundamentals

Preferred

Scripting Or Automation Experience (python, Go, Bash)Pentesting Background Or Exposure To Offensive Security WorkFamiliarity With Compliance Frameworks Such As SOC 2 And ISO 27001Experience Authoring Public Advisories Or CVE WriteupsHands-on Experience With Siem, Cloud Logging, And Investigative Tooling

Stack & domain

PythonGoBashC/c++HackeroneOwaspIso 27001Soc 2SiemCloud LoggingInvestigative ToolingLeadershipCommunicationSecurityCloudAISaasSoftware Engineering

About the role

As a Product Security Engineer at Replit, you'll be at the forefront of safeguarding the company's cloud-native AI platform, working to identify and mitigate vulnerabilities swiftly and responsibly, making this role ideal for someone with a keen eye for detail and a passion for cybersecurity.

Original posting from Replit via Ashby

Replit is the agentic software creation platform that enables anyone to build applications using natural language. With millions of users worldwide, Replit is democratizing software development by removing traditional barriers to application creation.

ABOUT THE ROLE

We are looking for a highly skilled PSIRT Engineer to lead the vulnerability response program for Replit’s cloud-native AI platform. You will own the lifecycle of security vulnerabilities affecting our products and services—from intake to validation, remediation coordination, and public disclosure.

This role requires strong technical ability to reproduce vulnerabilities, deep understanding of web/app/cloud exploit classes, and experience operating bug bounty and coordinated disclosure programs. You will work closely with Engineering, Cloud Security, SecOps, SRE, and IT teams to ensure vulnerabilities are fixed quickly and communicated responsibly.

WHAT YOU’LL DO

VULNERABILITY INTAKE, TRIAGE & VALIDATION

  • Manage intake from bug bounty platforms (HackerOne preferred), customer reports, automated scanners, pentest reports, and coordinated disclosure channels.
  • Independently validate, reproduce, severity-score, and document findings.
  • Identify duplicates and maintain a clean vulnerability records pipeline.
  • Assess relevance and exploitability using OWASP, cloud misconfiguration patterns, and identity/authentication/authorization risks (Oauth, OIDC).

REMEDIATION COORDINATION & SLA MANAGEMENT

  • Work with Engineering, SecOps, IT, SRE, and Cloud Security to confirm product impact and drive remediation.
  • Provide detailed reproduction steps, proof-of-concepts, and technical analyses.
  • Track SLAs, remediation progress, regression testing, and systemic improvements.
  • Support SOC 2, ISO 27001, and pentest evidence needs as part of vulnerability lifecycle governance.

BUG BOUNTY & VULNERABILITY DISCLOSURE PROGRAM MANAGEMENT

  • Design and evolve the bug bounty program, including scope, rules, and reward structures.
  • Manage platform selection, private vs. public launches, and community engagement.
  • Communicate clearly with researchers, provide clarifications, and handle feedback or disputes.
  • Determine reward payouts, bonus decisions, and recognition for top contributors.

COORDINATED DISCLOSURE & CVE MANAGEMENT

  • Lead the coordinated vulnerability disclosure process for internal and external findings.
  • Negotiate disclosure timelines with researchers and partners.
  • Coordinate CVE assignments and publications, and prepare customer/public advisories.

REQUIRED SKILLS

  • Experience running or triaging for bug bounty programs (HackerOne ideally).
  • Strong ability to triage, validate, and reproduce vulnerabilities independently.
  • Deep understanding of web/app/cloud vulnerability classes, OWASP Top 10, misconfigurations, authN/Z issues, etc.
  • Familiarity with cloud platforms (GCP preferred) and SaaS architectures.
  • Strong understanding of CI/CD workflows, code structure, and software engineering fundamentals.

NICE TO HAVE

  • Scripting or automation experience (Python, Go, Bash).
  • Pentesting background or exposure to offensive security work.
  • Familiarity with compliance frameworks such as SOC 2 and ISO 27001.
  • Experience authoring public advisories or CVE writeups.
  • Hands-on experience with SIEM, Cloud Logging, and investigative tooling.

This is a full-time role that can be held from our Foster City, CA office. The role has an in-office requirement of Monday, Wednesday, and Friday.

Full-Time Employee Benefits Include:

💰 Competitive Salary & Equity

💹 401(k) Program with a 4% match

⚕️ Health, Dental, Vision and Life Insurance

🩼 Short Term and Long Term Disability

🚼 Paid Parental, Medical, Caregiver Leave

🚗 Commuter Benefits

📱 Monthly Wellness Stipend

🧑‍💻 Autonomous Work Environment

🖥 In Office Set-Up Reimbursement

🏝 Flexible Time Off (FTO) + Holidays

🚀 Quarterly Team Gatherings

☕ In Office Amenities

Want to learn more about what we are up to?

  • Meet the Replit Agent https://www.youtube.com/watch?v=IYiVPrxY8-Y
  • Replit: Make an app for that https://www.youtube.com/watch?v=4zd9hzngFwY
  • Replit Blog https://blog.replit.com/
  • Amjad TED Talk https://youtu.be/kCudFI4tcpg?si=l4ViCejV_f2RZkDi

Interviewing + Culture at Replit

  • Operating Principles https://blog.replit.com/operating-principles
  • Reasons not to work at Replit https://blog.replit.com/reasons-not-to-join-replit

To achieve our mission of making programming more accessible around the world, we need our team to be representative of the world. We welcome your unique perspective and experiences in shaping this product. We encourage people from all kinds of backgrounds to apply, including and especially candidates from underrepresented and non-traditional backgrounds.

Source: Replit careers (Ashby)

Similar roles