About The Position

Vercel is seeking a Security Engineer focused on open source frameworks to enhance the security of their widely used projects like Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro. This role offers a high-leverage opportunity to identify and eliminate entire classes of vulnerabilities at the framework level, rather than addressing individual bugs. The engineer will conduct in-depth security assessments, drive framework-level fixes and design changes, and manage the handling of externally reported vulnerabilities, including coordinated disclosure and CVEs. A key responsibility will be owning Vercel's open source bug bounty program for these projects, involving triage, validation, and coordination of fixes with maintainers. The role also emphasizes integrating security early in the design process, building preventive tooling, and ensuring supply chain security for these open source projects. Collaboration with the open source community, including maintainers and researchers, is crucial, with a focus on pragmatic security recommendations and transparent operation.

Requirements

  • You've actually used or broken these frameworks: You've built real things with Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, or Nitro (or closely comparable projects), or you've found and reported security issues in them.
  • You have a deep appreciation and respect for open source work.
  • 4+ years in security engineering, ideally with real hands-on open source contribution experience.
  • You've actually sent PRs to projects like these, not just filed issues against them.
  • You're energized by root cause, not remediation count.
  • Strong JavaScript/TypeScript fundamentals and genuine familiarity with how modern meta-frameworks work under the hood (routing, SSR/RSC, middleware, bundling/build systems).
  • Pragmatic, not theoretical: You can weigh real-world risk against maintainer and community bandwidth, and land on security improvements that actually ship.
  • Experience with structured security assessment methodology and coordinated/responsible disclosure processes, including handling embargoes and writing clear advisories.
  • Clear communicator: You can explain a vulnerability, a tradeoff, or a design recommendation clearly to maintainers, contributors, and non-security engineers alike, in writing and in conversation.
  • Comfortable operating in public: You're used to working transparently with external researchers, maintainers, and the community, not just inside a company's four walls.

Nice To Haves

  • Bonus if you have CVE credits or published security research, especially in JavaScript frameworks or the Node ecosystem.
  • Maintained or heavily contributed to a widely used open source project.
  • Experience with supply chain security tooling (Sigstore, SLSA/provenance, dependency and package scanning).
  • Thought about how increasing AI-agent-authored contributions change the risk model for open source maintenance.
  • Run or triaged for a bug bounty / vulnerability disclosure program before, ideally for open source projects.

Responsibilities

  • Run deep security assessments of framework internals (routing, middleware, caching, data fetching, server actions/RSC boundaries, build tooling) to find the systemic design patterns that produce whole families of issues.
  • Drive design changes upstream that eliminate a category of vulnerability across every application built on the framework.
  • Triage security reports from the community and researchers across Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, Nitro, and other maintained OSS projects.
  • Coordinate embargoed fixes, write and publish advisories, and manage the CVE/CNA process end to end.
  • Own triage and validation of incoming reports to Vercel's open source bug bounty program for Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro.
  • Reproduce findings, assess severity, and coordinate fixes with the right maintainers and researchers.
  • Partner with framework maintainers and core teams during RFCs and design review, so new features ship with security considered from the first draft.
  • Contribute linters, codemods, and CI checks that catch regressions of previously-fixed vulnerability classes before they land again.
  • Harden how dependencies, releases, and published packages for Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro are built, signed, and distributed.
  • Build review and provenance practices to keep AI-agent-authored contributions safe.
  • Engage directly with maintainers, contributors, and external researchers as peers.
  • Bring pragmatic security recommendations to project discussions.
  • Represent Vercel in coordinated disclosure norms and working groups when an issue spans multiple ecosystems.

Benefits

  • Competitive compensation package, including equity.
  • Inclusive Healthcare Package.
  • Learn and Grow - we provide mentorship and send you to events that help you build your network and skills.
  • Flexible Time Off.
  • We will provide you the gear you need to do your role, and a WFH budget for you to outfit your space as needed.
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service