Product Security Engineer (PSIRT - Product Security Incident Response Team)

Replit•Foster City, CA

1d•Hybrid

About The Position

Replit is an agentic software creation platform that enables users to build applications using natural language, democratizing software development globally. The company is seeking a highly skilled PSIRT Engineer to lead the vulnerability response program for its cloud-native AI platform. This role involves owning the entire lifecycle of security vulnerabilities affecting Replit's products and services, from intake and validation to remediation coordination and public disclosure. The position requires strong technical ability to reproduce vulnerabilities, a deep understanding of web/app/cloud exploit classes, and experience managing bug bounty and coordinated disclosure programs. The PSIRT Engineer will collaborate closely with Engineering, Cloud Security, SecOps, SRE, and IT teams to ensure rapid vulnerability resolution and responsible communication.

Requirements

Experience running or triaging for bug bounty programs (HackerOne ideally).
Strong ability to triage, validate, and reproduce vulnerabilities independently.
Deep understanding of web/app/cloud vulnerability classes, OWASP Top 10, misconfigurations, authN/Z issues, etc.
Familiarity with cloud platforms (GCP preferred) and SaaS architectures.
Strong understanding of CI/CD workflows, code structure, and software engineering fundamentals.

Nice To Haves

Scripting or automation experience (Python, Go, Bash).
Pentesting background or exposure to offensive security work.
Familiarity with compliance frameworks such as SOC 2 and ISO 27001.
Experience authoring public advisories or CVE writeups.
Hands-on experience with SIEM, Cloud Logging, and investigative tooling.

Responsibilities

Manage intake from bug bounty platforms (HackerOne preferred), customer reports, automated scanners, pentest reports, and coordinated disclosure channels.
Independently validate, reproduce, severity-score, and document findings.
Identify duplicates and maintain a clean vulnerability records pipeline.
Assess relevance and exploitability using OWASP, cloud misconfiguration patterns, and identity/authentication/authorization risks (Oauth, OIDC).
Work with Engineering, SecOps, IT, SRE, and Cloud Security to confirm product impact and drive remediation.
Provide detailed reproduction steps, proof-of-concepts, and technical analyses.
Track SLAs, remediation progress, regression testing, and systemic improvements.
Support SOC 2, ISO 27001, and pentest evidence needs as part of vulnerability lifecycle governance.
Design and evolve the bug bounty program, including scope, rules, and reward structures.
Manage platform selection, private vs. public launches, and community engagement.
Communicate clearly with researchers, provide clarifications, and handle feedback or disputes.
Determine reward payouts, bonus decisions, and recognition for top contributors.
Lead the coordinated vulnerability disclosure process for internal and external findings.
Negotiate disclosure timelines with researchers and partners.
Coordinate CVE assignments and publications, and prepare customer/public advisories.