Security Analyst, Bug Bounty

About The Position

Requirements

• Proven ability to follow bug reports, reproduce, and accurately triage security vulnerabilities.
• Deep familiarity with web security issues, attack vectors, and exploit methodologies (e.g., OWASP Top 10, CWEs, CVEs).
• Competent in offensive security tools to reproduce issues (e.g., Burp Suite, Nuclei, custom scripting).
• Ability to think like an attacker to understand the impact of vulnerabilities.
• Proficient in clear and concise written and verbal communication, with the ability to convey complex technical concepts to both technical and non-technical stakeholders.
• Experience in one of the following areas: Direct experience in a bug bounty program or triaging security vulnerability reports. Direct, deep knowledge of Stripe products and assets, coupled with strong general security knowledge.

Nice To Haves

• Experience in a technical support, operations, or similar role with broad exposure to technical systems and customer/partner communication.
• Prior participation in or experience with bug bounty programs and platforms.
• Experience with analyzing source code to find security vulnerabilities.
• Proficiency in one or more scripting languages (e.g., Python, Ruby) for automation and data analysis.
• Familiarity with cloud-based services and infrastructure (e.g., AWS, GCP, Azure).
• Relevant certifications such as Offensive Security Web Assessor (OSWA) or Burp Suite Certified Professional (BSCP).

Responsibilities

• Analyze, assess, reproduce, and triage incoming security vulnerability reports from the bug bounty program.
• Communicate clearly and effectively with security researchers to follow up on unclear reports, drive report clarity, and increase engagement with top hackers.
• Understand the root cause of security vulnerabilities to help product and engineering teams fix them, and advise on the right mitigation strategies.
• Drive the lifecycle of submissions through to resolution, coordinating with product and engineering stakeholders.
• Act as the security bridge between external researchers and internal teams to facilitate rapid and effective remediation.
• Conduct in-depth data analysis on bug reports and vulnerability patterns to identify systemic risks and inform new security initiatives.
• Provide tactical support for vulnerability management triage processes to augment the team as needed.
• Prepare and implement improvements to the overall bug bounty program.
• Provide feedback and requirements for tool development to enhance triage and security workflows, leveraging opportunities for automation.