Senior Security Researcher - Software Supply Chain

About The Position

Requirements

• A track record of finding real vulnerabilities - published CVEs, GHSAs, or equivalent advisories with your name on them
• Deep familiarity with multiple vulnerability classes like malicious packages, RCE, prototype pollution, deserialization, SSRF, auth bypasses, CI/CD-specific attack paths and memory corruption
• Experience designing and operating a detection, scanning, or analysis pipeline at scale that run continuously and produce signal
• Strong programming skills in at least one of TypeScript, Python, Go, or Rust
• Comfortable reading code in languages you don't write daily (JavaScript, Ruby, Java, PHP, etc)
• Proven ability to write a good blog post fast
• Hands-on use of LLMs as a research tool
• Understanding of LLMs to know where they break, which prompts and models work best, and when to reach for a model vs. when not to
• Prior work on software supply chain attacks

Nice To Haves

• Contributions to OpenSSF, OSV, Sigstore, SLSA, or adjacent projects are a plus
• Reverse engineering chops - obfuscated JavaScript droppers, packed binaries, malicious post-install scripts are a plus
• A conference talk or two (DEF CON, Black Hat, BSides, OffensiveCon, Kaspersky SAS) is a plus
• Experience with eBPF, sandboxing, or dynamic analysis infrastructure is a plus

Responsibilities

• Design the systems that scan open-source packages (npm, PyPI, RubyGems, Maven, crates.io, Go modules, GitHub Actions, container images, and more) for malicious behavior at scale
• Tune signals, reduce false positives, and add new detection techniques as attackers evolve
• Actively find novel malicious packages, typosquats, dependency confusion attempts, compromised maintainers, and CI/CD abuse patterns
• Coordinate with maintainers, foundations, and registries, file CVEs, work with GitHub Security Advisories, the OSV schema, and platform security teams
• Turn every significant finding into a blog post that's fast, clear, and technically rigorous that gets shared in security newsletters and lands on places like Hacker News
• Build internal tooling that uses static analysis and AI models to triage findings, summarize package diffs, and cluster related campaigns
• Your findings feed directly into what we build. Expect to sit in on roadmap discussions and push back when detection logic in the product doesn't match what you see in the wild
• Stay up-to-date with the latest sandbox evasion and detection measures and create countermeasures and red-teaming exercises
• Keeping a tight line between false positives and false negatives in our detection pipeline to ensure a well-curated and trusted set of threat intelligence

Benefits

• Private health insurance
• 25 days of vacation / PTO
• 7 days of sick leave at 100% pay
• Outstanding referral bonuses
• Paternity leave – 15 days for new dads
• Reduced working hours for the first month after returning from maternity
• Development program (training & conferences, internal knowledge sharing)
• Flexible work environment