Security Researcher (Remote)

Map Ssg

6d•Remote

About The Position

We have already disclosed vulnerabilities in curl (150+ bugs fixed), FFmpeg, django-allauth, OpenSSL, and Avahi. You will expand that list. This role sits at the intersection of manual security research and AI-augmented discovery. You will audit codebases, validate and triage findings from our LLM-powered scanner, and feed your expertise back into the detection engine. Your work directly improves what the AI catches next time.

Requirements

3+ years of experience in application security research, penetration testing, or red teaming
Demonstrated ability to find and responsibly disclose vulnerabilities (CVEs, bug bounties, or published research)
Strong understanding of common vulnerability classes: OWASP Top 10, business logic flaws, auth bypasses, injection chains
Proficiency in reading and analyzing code across Python, JavaScript/TypeScript, Go, Java, or C/C++
Experience with static analysis concepts, code review, and source code auditing
Excellent written communication for vulnerability reports and research write-ups

Nice To Haves

Published CVEs or a meaningful bug bounty track record
Experience with tree-sitter, semgrep, CodeQL, or similar code analysis tooling for benchmarking
Familiarity with LLM-powered security tools or AI-augmented research workflows
Contributions to open-source security projects

Responsibilities

Conduct security research on open-source projects and customer codebases across multiple languages
Validate and triage AI-generated vulnerability findings to calibrate false positive rates
Write detailed vulnerability reports and coordinate responsible disclosure and CVE assignment
Define and refine detection rules, heuristics, and prompt strategies for the scanning engine
Collaborate with the engineering team to improve detection of business logic and auth flaws
Contribute to our public research blog and Wall of Fame