Security Software Engineer, Open Source Frameworks

VercelBerlin, CA
$208,000 - $312,000Remote

About The Position

Vercel is seeking a Security Software Engineer focused on Open Source Frameworks to enhance the security of their widely-used projects like Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro. This role involves deep security assessments of framework internals, identifying systemic vulnerability patterns, and driving framework-level fixes. The engineer will also manage the handling of externally reported vulnerabilities, coordinated disclosure, CVEs, and Vercel's open source bug bounty program for these projects. A key aspect is integrating security early in the design phase of new features and building preventive tooling. The role also encompasses owning the supply chain security for these projects and engaging with the open source community, maintainers, and researchers.

Requirements

  • You've actually used or broken these frameworks: You've built real things with Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, or Nitro (or closely comparable projects), or you've found and reported security issues in them.
  • You have a deep appreciation and respect for open source work.
  • 4+ years in security engineering, ideally with real hands-on open source contribution experience.
  • You're energized by root cause, not remediation count.
  • You can read framework internals, not just application code: Strong JavaScript/TypeScript fundamentals and genuine familiarity with how modern meta-frameworks work under the hood (routing, SSR/RSC, middleware, bundling/build systems).
  • Pragmatic, not theoretical: You can weigh real-world risk against maintainer and community bandwidth, and land on security improvements that actually ship.
  • Vulnerability research chops: Experience with structured security assessment methodology and coordinated/responsible disclosure processes, including handling embargoes and writing clear advisories.
  • Clear communicator: You can explain a vulnerability, a tradeoff, or a design recommendation clearly to maintainers, contributors, and non-security engineers alike, in writing and in conversation.
  • Comfortable operating in public: You're used to working transparently with external researchers, maintainers, and the community, not just inside a company's four walls.

Nice To Haves

  • CVE credits or published security research, especially in JavaScript frameworks or the Node ecosystem.
  • Maintained or heavily contributed to a widely used open source project.
  • Experience with supply chain security tooling (Sigstore, SLSA/provenance, dependency and package scanning).
  • Thought about how increasing AI-agent-authored contributions change the risk model for open source maintenance.
  • Run or triaged for a bug bounty / vulnerability disclosure program before, ideally for open source projects.

Responsibilities

  • Run deep security assessments of framework internals (routing, middleware, caching, data fetching, server actions/RSC boundaries, build tooling) to find the systemic design patterns that produce whole families of issues.
  • Push design changes upstream that eliminate a category of vulnerability across every application built on the framework, rather than patching individual instances as they're reported.
  • Triage security reports from the community and researchers across Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, Nitro, and other maintained OSS projects. Coordinate embargoed fixes, write and publish advisories, and manage the CVE/CNA process end to end.
  • Own triage and validation of incoming reports to Vercel's open source bug bounty program for Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro. Reproduce findings, assess severity, and coordinate fixes with the right maintainers and researchers.
  • Partner with framework maintainers and core teams during RFCs and design review, so new features ship with security considered from the first draft, not bolted on after a report comes in.
  • Contribute linters, codemods, and CI checks that catch regressions of previously-fixed vulnerability classes before they land again.
  • Harden how dependencies, releases, and published packages for Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro are built, signed, and distributed. Build the review and provenance practices that keep the increased volume of AI-agent-authored contributions safe.
  • Engage directly with maintainers, contributors, and external researchers as peers. Bring pragmatic security recommendations to project discussions in a way that respects how these projects actually get built, and represent Vercel in coordinated disclosure norms and working groups when an issue spans multiple ecosystems.

Benefits

  • Competitive compensation package, including equity.
  • Inclusive Healthcare Package.
  • Learn and Grow - we provide mentorship and send you to events that help you build your network and skills.
  • Flexible Time Off.
  • We will provide you the gear you need to do your role, and a WFH budget for you to outfit your space as needed.
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service