Technical Program Manager, Security - Coordinated Vulnerability Disclosure

AnthropicSeattle, WA
5hHybrid
Match Resume

About The Position

As a Technical Program Manager for Security, Coordinated Vulnerability Disclosure (CVD), you will build and lead the programs that govern how Anthropic responsibly discloses software vulnerabilities discovered by our AI-powered tools, including Claude, Patchy, and Claude Code. These tools have already found real zero-days in Firefox, the Linux kernel, and other critical software. The challenge is no longer just finding vulnerabilities; it is managing the consequences of finding them at unprecedented scale and speed. Traditional coordinated disclosure frameworks were designed for a world where a researcher might find one serious vulnerability every few weeks. AI-powered discovery has changed that equation entirely; Claude can surface hundreds of findings in a single codebase in a single day. This role exists to ensure that every finding reaches the right maintainer, at the right pace, with the right context, and that Anthropic meets its Responsible Scaling Policy (RSP) commitments in the process. You will own the end-to-end CVD lifecycle: from internal triage and human validation of AI-generated findings, through tiered disclosure timelines, to external coordination with vendors, open-source maintainers, and organizations. This role requires deep collaboration across Security Engineering, Legal, Communications, Product, and Frontier Red Team to ensure Anthropic operates as a responsible steward of the vulnerabilities its tools discover.

Requirements

  • 10+ years of experience in cybersecurity, vulnerability management, or security operations, with at least 4+ years leading vulnerability disclosure, vulnerability management, or coordinated response programs
  • Deep understanding of coordinated vulnerability disclosure processes, including experience working with CERT/CC, MITRE CVE, or similar coordination bodies
  • Technical familiarity with vulnerability discovery tooling, static analysis, fuzzing infrastructure (e.g., OSS-Fuzz, CodeQL), and the triage workflows that turn raw findings into actionable reports
  • Experience engaging directly with open-source maintainers and understanding the dynamics of open-source project governance, contributor capacity, and maintainer burnout
  • Proven experience as a Technical Program Manager or similar role in a cybersecurity or technology-focused environment, with a track record of leading complex, cross-organizational programs to successful completion
  • Executive communication skills with demonstrated ability to influence decisions at the senior leadership and C-suite level
  • Ability to manage highly ambiguous problems and navigate challenges to achieve program objectives in a fast-paced, evolving environment
  • Strong collaboration skills with proven ability to partner across diverse technical and non-technical stakeholders including Security Engineering, Legal, Communications, and Product teams

Nice To Haves

  • Experience building vulnerability disclosure or coordinated response programs from the ground up in high-growth technology companies
  • Background as a CVE Numbering Authority (CNA) operator, or experience managing the operational requirements of CVE issuance, embargo coordination, and formal vulnerability tracking
  • Familiarity with AI/ML-powered security tooling and the unique challenges of managing AI-generated vulnerability reports at scale, including false-positive filtering and quality assurance
  • Experience with vulnerability management platforms and tracking systems (e.g., HackerOne, Bugcrowd, or custom internal tooling)
  • Prior work in security research, penetration testing, or red teaming that provides firsthand understanding of the vulnerability lifecycle from discovery through remediation
  • Familiarity with compliance frameworks (SOC 2, ISO 27001, FedRAMP) and their intersection with vulnerability disclosure requirements
  • Experience managing multi-stakeholder disclosure scenarios involving ecosystem-level vulnerabilities that affect multiple projects simultaneously

Responsibilities

  • Own end-to-end CVD program strategy and execution: Define and drive the roadmap for coordinated vulnerability disclosure, from AI-generated finding through maintainer notification, remediation tracking, and public disclosure. Ensure alignment with Anthropic’s security posture and RSP compliance requirements.
  • Lead internal triage and quality assurance: Establish and manage the human review process that validates all AI-generated findings before external disclosure. Set minimum confidence thresholds, deduplicate against known CVEs, and ensure every report sent to a maintainer meets Anthropic’s quality bar.
  • Design and operate tiered disclosure timelines: Implement severity-based disclosure windows with appropriate extension policies.
  • Build and manage pacing and submission models: Develop rate-limiting frameworks that govern how many findings are submitted to each project, scaled to maintainer capacity and project size.
  • Lead external coordination and partner engagement: Manage relationships with open-source maintainers and closed-source vendors. Serve as the primary point of contact for vulnerability coordination, including escalation when maintainers are unresponsive. Drive the phased rollout from initial trusted partners through broader open-source engagement.
  • Establish program metrics and reporting: Define and track the metrics that determine program health, including fix rates, false-positive rates, median time-to-patch, and qualitative maintainer feedback. Use these metrics to inform decisions about program expansion, pacing adjustments, and policy updates.
  • Drive response category classification: Manage the process for classifying findings into response categories (latent vulnerability, active exploitation, ecosystem-level pattern) and ensure the appropriate response protocol is triggered for each category.
  • Lead cross-functional coordination: Manage stakeholder relationships across Security Engineering, Legal, Communications, Product, and Frontier Red Team to drive alignment and execution on disclosure initiatives. Ensure legal review of disclosure timelines and coordinate public communications around significant findings.
  • Collaborate with senior leadership and executives: Communicate program vision, risks, and progress with executive presence. Influence strategic priorities and secure alignment across leadership teams, including the CISO and CTO organizations.

Benefits

  • competitive compensation and benefits
  • optional equity donation matching
  • generous vacation and parental leave
  • flexible working hours
  • a lovely office space in which to collaborate with colleagues

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume

What This Job Offers

Job Type

Full-time

Career Level

Mid Level

Job Search Resources

Similar Technical Program Manager, Security - Coordinated Vulnerability Disclosure job opportunities

Technical Security Program Manager
Whatnot
Whatnot • San Francisco, CA12d • Hybrid
Technical Security Program Manager
Whatnot
Whatnot • San Francisco, CA10d • Hybrid
Content Security Technical Program Manager
The Walt Disney Company
The Walt Disney Company • Glendale, CA5d • $134,000 - $149,000 • Hybrid
Content Security Technical Program Manager
The Walt Disney Company
The Walt Disney Company • Glendale, CA4d • $134,000 - $149,000 • Hybrid
Threat and Vulnerability Program Manager
Georgetown University
Georgetown University • Lexington, MA8d • $80,429 - $157,239 • Remote
Senior Technical Program Manager, Product Security
Chan Zuckerberg Initiative
Chan Zuckerberg Initiative • Redwood City, CA5d • $190,000 - $261,800 • Hybrid
Explore More Jobs

Tools

Career Hubs

Guides

Company

© 2024 Teal Labs, Inc
Privacy PolicyTerms of Service