ZipRecruiter

Log In

1

Bug Bounty Program Jobs in California (NOW HIRING)

Adobe, Inc.

Product Security Engineer

San Jose, CA · On-site

Define AI testing scope for penetration testing and bug bounty programs. Drive resolution of security issues through ongoing engagement with engineering teams. Capture all relevant data and results ...

Adobe

Product Security Engineer

San Jose, CA

Define AI testing scope for penetration testing and bug bounty programs. Drive resolution of security issues through ongoing engagement with engineering teams. Capture all relevant data and results ...

Merge

Head of Security

San Francisco, CA · On-site

... Bug Bounty Program • Implement security controls across Merge, from infrastructure to CI • Implement and run manual and automated security practices to mitigate vulnerabilities • Assist with ...

MM International

Penetration Tester

San Francisco, CA · On-site

Experience in Red Teaming and bug bounty programs preferred Ideal Candidate: * 5-8 years of security testing experience * Proven ability to mentor teams and implement enterprise security solutions

Replit

SOC Engineer

Foster City, CA · On-site

$180K - $250K/yr

Experience working with bug bounty programs or coordinated vulnerability disclosure workflows. * Experience in fast-paced, cloud-native, or AI/ML-driven environments. What We Value * Curiosity ...

Verkada

Staff+ Product Security Engineer

San Mateo, CA · On-site

Create and operate a bug bounty program * Triage and recommend solutions for security bugs from tools, third party assessments and bug bounties * Collaborate with the CISO and security team to grow ...

Merge API

Head of Security

San Francisco, CA · Remote

$240K - $280K/yr

Manage our Bug Bounty Program * Implement security controls across Merge, from infrastructure to CI * Implement and run manual and automated security practices to mitigate vulnerabilities * Assist ...

Merge LLC

Head of Security

San Francisco, CA · Remote

$240K - $280K/yr

Manage our Bug Bounty Program * Implement security controls across Merge, from infrastructure to CI * Implement and run manual and automated security practices to mitigate vulnerabilities * Assist ...

Figma

Security Engineer

San Francisco, CA · Remote

Help run penetration testing, offensive security exercises, and support our bug bounty program. * Help respond to product security incidents. Anti-Abuse * Design and build technical systems to ...

Pylon Labs

Software Engineer, Security

San Francisco, CA · On-site

$180K - $300K/yr

SOC 2, ISO 27001, HIPAA, bug bounty programs * Jump into pre- and post-sales conversations as the security stakeholder * Help us move fast while keeping the right guardrails in place * Take projects ...

next page

Showing results 1-20

All JobsBug Bounty Program JobsBug Bounty Program Jobs in California

Bug Bounty Program information

How do I join a bug bounty program?

To join a bug bounty program, you typically need to register on the platform hosting the program, such as HackerOne or Bugcrowd, and agree to their rules and scope. Developing skills in web security, using tools like Burp Suite or OWASP ZAP, and understanding responsible disclosure are essential. Some programs may require prior experience or certifications like OSCP or CEH.

What are some common challenges faced by professionals managing a Bug Bounty Program?

Professionals overseeing a Bug Bounty Program often encounter challenges such as efficiently triaging a high volume of vulnerability reports, ensuring clear communication with security researchers, and balancing quick response times with thorough investigation. Additionally, maintaining strong relationships with both internal development teams and external participants is crucial for program success. Staying updated on evolving security threats and continually refining program policies are ongoing responsibilities that require adaptability and collaboration.

How much do bug bounties get paid?

Bug bounty programs pay security researchers based on the severity and impact of the vulnerabilities they discover, with rewards ranging from $100 to over $100,000 for critical issues. Payments vary depending on the program, the organization, and the complexity of the bug, and researchers often use platforms like HackerOne or Bugcrowd to participate.

Which bug bounty pays the most?

Bug bounty programs from large technology companies like Apple, Google, and Microsoft tend to offer the highest payouts, often reaching hundreds of thousands of dollars for critical vulnerabilities. Successful bug bounty hunters typically have strong technical skills, knowledge of security testing tools, and experience in identifying high-impact security flaws.

What are the key skills and qualifications needed to thrive as a Bug Bounty Program participant, and why are they important?

To excel in a Bug Bounty Program, you need strong knowledge of cybersecurity fundamentals, vulnerability assessment, and web or software exploitation techniques, often backed by practical experience or certifications like OSCP or CEH. Familiarity with tools such as Burp Suite, Nmap, and Metasploit, as well as bug bounty platforms like HackerOne or Bugcrowd, is typically required. Critical thinking, persistence, and clear written communication are crucial soft skills for effectively identifying vulnerabilities and reporting them to organizations. These skills ensure you can discover security flaws efficiently, responsibly disclose them, and build a positive reputation in the cybersecurity community.

What is a Bug Bounty Program?

A Bug Bounty Program is an initiative offered by organizations that invites ethical hackers and security researchers to identify and report vulnerabilities in the company’s software, websites, or systems. Participants are typically rewarded with monetary compensation, recognition, or other incentives based on the severity of the bugs they find. These programs help organizations strengthen their security by leveraging the broader cybersecurity community, thus identifying issues before malicious hackers can exploit them. Bug bounty programs are widely used by tech companies to enhance security and build trust with users.

Will Facebook pay $500 if you find a bug in their code?

As a bug bounty program participant, Facebook's bug bounty rewards vary depending on the severity and impact of the vulnerability found. While some reports have received payments of $500 or more, the amount is not guaranteed and depends on the quality and significance of the bug. Participants should review Facebook's bug bounty guidelines for specific payout details and submission criteria.

What is the difference between Bug Bounty Program vs Penetration Tester?

AspectBug Bounty ProgramPenetration Tester
CredentialsKnowledge of security vulnerabilities, bug reporting skillsCertifications like OSCP, CEH, CISSP often preferred
Work EnvironmentRemote, project-based, crowdsourcedConsulting firms, in-house teams, on-site or remote
Industry UsageTech companies, startups, open security initiativesSecurity firms, corporate security teams, government agencies
Search/Comparison IntentUnderstanding crowdsourced bug finding vs professional testingComparing freelance or company-based security assessments

The main difference is that Bug Bounty Programs are crowdsourced initiatives where individuals report vulnerabilities remotely, often without formal certifications. Penetration Testers are professionals with certifications who perform targeted security assessments, usually in a consulting or in-house setting. Both roles focus on identifying security flaws but differ in structure, credentials, and work environment.

What are the most commonly searched types of Bug Bounty Program jobs in California? The most popular types of Bug Bounty Program jobs in California are:
What are popular job titles related to Bug Bounty Program jobs in California? For Bug Bounty Program jobs in California, the most frequently searched job titles are:
What job categories do people searching Bug Bounty Program jobs in California look for? The top searched job categories for Bug Bounty Program jobs in California are:
What cities in California are hiring for Bug Bounty Program jobs? Cities in California with the most Bug Bounty Program job openings:
Bug Bounty Program jobs near you
Infographic showing various Bug Bounty Program job openings in California as of June 2026, with employment types broken down into 67% Full Time, and 33% Contract. Highlights an 67% In-person, and 33% Remote job distribution.
Product Security Engineer (PSIRT - Product Security Incident Response Team)

Product Security Engineer (PSIRT - Product Security Incident Response Team)

Replit

Foster City, CA • On-site

$180K - $325K/yr

Full-time

Medical, Dental, Vision, Life, Retirement

Posted 26 days ago

Job description

Replit is the agentic software creation platform that enables anyone to build applications using natural language. With millions of users worldwide, Replit is democratizing software development by removing traditional barriers to application creation.
About the Role
We are looking for a highly skilled PSIRT Engineer to lead the vulnerability response program for Replit's cloud-native AI platform. You will own the lifecycle of security vulnerabilities affecting our products and services-from intake to validation, remediation coordination, and public disclosure.
This role requires strong technical ability to reproduce vulnerabilities, deep understanding of web/app/cloud exploit classes, and experience operating bug bounty and coordinated disclosure programs. You will work closely with Engineering, Cloud Security, SecOps, SRE, and IT teams to ensure vulnerabilities are fixed quickly and communicated responsibly.
What You'll Do
Vulnerability Intake, Triage & Validation
  • Manage intake from bug bounty platforms (HackerOne preferred), customer reports, automated scanners, pentest reports, and coordinated disclosure channels.
  • Independently validate, reproduce, severity-score, and document findings.
  • Identify duplicates and maintain a clean vulnerability records pipeline.
  • Assess relevance and exploitability using OWASP, cloud misconfiguration patterns, and identity/authentication/authorization risks (Oauth, OIDC).
Remediation Coordination & SLA Management
  • Work with Engineering, SecOps, IT, SRE, and Cloud Security to confirm product impact and drive remediation.
  • Provide detailed reproduction steps, proof-of-concepts, and technical analyses.
  • Track SLAs, remediation progress, regression testing, and systemic improvements.
  • Support SOC 2, ISO 27001, and pentest evidence needs as part of vulnerability lifecycle governance.
Bug Bounty & Vulnerability Disclosure Program Management
  • Design and evolve the bug bounty program, including scope, rules, and reward structures.
  • Manage platform selection, private vs. public launches, and community engagement.
  • Communicate clearly with researchers, provide clarifications, and handle feedback or disputes.
  • Determine reward payouts, bonus decisions, and recognition for top contributors.
Coordinated Disclosure & CVE Management
  • Lead the coordinated vulnerability disclosure process for internal and external findings.
  • Negotiate disclosure timelines with researchers and partners.
  • Coordinate CVE assignments and publications, and prepare customer/public advisories.

Required Skills
  • Experience running or triaging for bug bounty programs (HackerOne ideally).
  • Strong ability to triage, validate, and reproduce vulnerabilities independently.
  • Deep understanding of web/app/cloud vulnerability classes, OWASP Top 10, misconfigurations, authN/Z issues, etc.
  • Familiarity with cloud platforms (GCP preferred) and SaaS architectures.
  • Strong understanding of CI/CD workflows, code structure, and software engineering fundamentals.

Nice to Have
  • Scripting or automation experience (Python, Go, Bash).
  • Pentesting background or exposure to offensive security work.
  • Familiarity with compliance frameworks such as SOC 2 and ISO 27001.
  • Experience authoring public advisories or CVE writeups.
  • Hands-on experience with SIEM, Cloud Logging, and investigative tooling.

This is a full-time role that can be held from our Foster City, CA office. The role has an in-office requirement of Monday, Wednesday, and Friday.
Full-Time Employee Benefits Include:
Competitive Salary & Equity
401(k) Program with a 4% match (US Only)
Health, Dental, Vision and Life Insurance
Short Term and Long Term Disability
Paid Parental, Medical, Caregiver Leave
Flexible Time Off (FTO) + Holidays
Commuter Benefits (In-Office Only)
Monthly Wellness Stipend
Autonomous Work Environment
In Office Set-Up Reimbursement (In-Office Only)
Quarterly Team Gatherings
In Office Amenities (In-Office Only)
Want to learn more about what we are up to?
  • Meet the Replit Agent
  • Replit: Make an app for that
  • Replit Blog
  • Amjad TED Talk

Interviewing + Culture at Replit
  • Operating Principles
  • Reasons not to work at Replit

To achieve our mission of making programming more accessible around the world, we need our team to be representative of the world. We welcome your unique perspective and experiences in shaping this product. We encourage people from all kinds of backgrounds to apply, including and especially candidates from underrepresented and non-traditional backgrounds.

Apply