Staff Security Engineer, PSIRT

About The Position

Requirements

• 7+ years in security engineering with at least 4 years directly running or leading a PSIRT, product security, or coordinated vulnerability disclosure function.
• Experience at a company that ships connected hardware (LPR/IP cameras, ICS/OT, automotive, medical, or networking gear) is highly preferred.
• Demonstrated end-to-end ownership of the FIRST PSIRT Services Framework v1.1 service areas (Stakeholder Ecosystem, Discovery, Triage, Remediation, Disclosure).
• Hands-on operational experience acting as a CVE Numbering Authority (CNA) or leading the technical onboarding of one.
• Deep knowledge of CNA Operational Rules v4.x, CVE scope definition, and root coordination (CISA ICS-CERT, MITRE).
• Deep familiarity with ISO/IEC 29147 (disclosure), ISO/IEC 30111 (handling), the CERT/CC Guide to CVD, and CISA Binding Operational Directive 20-01.
• Strong technical understanding across product security, with deep operational experience in at least three of the following (areas 1 and 2 are highly prioritized): Embedded/Firmware Security (Secure boot, hardware root of trust, UART/JTAG/USB attack surfaces, OTA integrity), Linux/Android Device Security, Cloud Security on AWS (IAM, EKS, federation, secrets management), Mobile/Web App Security (OWASP Top 10, GraphQL, authn/authz), ML/CV Model Security (Adversarial inputs, data poisoning, extraction).
• Fluent with CVSS v3.1/v4.0, CWE classification, EPSS, and SSVC frameworks.
• Exceptional written skills. You can draft a sharp, customer-facing security advisory, a precise CVE record, an internal postmortem, and a board-level executive summary of the same event—tailoring the tone perfectly to each audience.
• Ability to obtain and maintain CJIS certification as a condition of employment.

Nice To Haves

• Experience at a company that ships connected hardware (LPR/IP cameras, ICS/OT, automotive, medical, or networking gear) is highly preferred.
• You can talk credibly about how you implemented each FIRST PSIRT Services Framework v1.1 service area in a previous role.
• You can defend a severity decision in front of an engineering VP and an external researcher in the same week without changing your story.

Responsibilities

• Stand up and run Flock's Security Incident Response Team (PSIRT).
• Act as the single point of accountability for every externally-reported and internally-discovered vulnerability that touches a Flock product.
• Coordinate with teams about fixes and with security counterparts for security validation.
• Be the operational owner of our newly established CNA.
• Be the technical owner of our Coordinated Vulnerability Disclosure (CVD) program.
• Act as the cross-functional coordinator who drives fixes to closure across Hardware, Firmware, Device SRE, Cloud SRE, Mobile, ML, Legal, Comms, and Customer Support.
• Lead by influence across engineering, legal, communications, and support.
• Set the SLAs, the metrics, the playbooks, and the public security advisories that the rest of the company executes against.
• Manage response operations against established SLAs, tracking key metrics like time-to-triage, time-to-fix, and time-to-disclose.
• Deliver regular performance updates to leadership.
• Execute coordinated public security advisories when necessary, ensuring patches, customer communications, and public disclosures are seamlessly synchronized.

Benefits

• Flexible PTO: non-accrual PTO, plus 11 company holidays.
• Fully-paid health benefits plan for employees: including Medical, Dental, and Vision and an HSA match.
• Family Leave: All employees receive 12 weeks of 100% paid parental leave. Birthing parents are eligible for an additional 6-8 weeks of physical recovery time.
• Fertility & Family Benefits: Partnered with Maven, a complete digital health benefit for starting and raising a family. Flock will provide a $50,000-lifetime maximum benefit related to eligible adoption, surrogacy, or fertility expenses.
• Spring Health: Offers a variety of mental health benefits, including therapy, coaching, medication management, and digital tools, all tailored to each individual's needs.
• Caregiver Support: Partnered with Cariloop to provide employees with caregiver support.
• Carta Tax Advisor: Employees receive 1:1 sessions with Equity Tax Advisors who can address individual grants, model tax scenarios, and answer general questions.
• ERGs: Women of Flock, Flock Proud, LEOs and Melanin Motion.
• WFH Stipend: $150 per month to cover the costs of working from home.
• Productivity Stipend: $300 per year to use on Audible, Calm, Masterclass, Duolingo and so much more.
• Home Office Stipend: A one-time $750 to help you create your dream office.