They are seeking a Product Security Engineer to support their Bug Bounty program on a 6-month contract engagement, where the engineer will be responsible for triaging vulnerability reports and ...
They are seeking a Product Security Engineer to support their Bug Bounty program on a 6-month contract engagement, where the engineer will be responsible for triaging vulnerability reports and ...
Product Security Engineer
Lehi, UT · On-site
$67.61 - $84.51/hr
You will work closely with internal engineering and security stakeholders to drive remediation and improve the bug bounty program's effectiveness. This is a contract engagement expected to backfill a ...
Quick apply
Product Security Engineer
Lehi, UT · On-site
$67.61 - $84.51/hr
You will work closely with internal engineering and security stakeholders to drive remediation and improve the bug bounty program's effectiveness. This is a contract engagement expected to backfill a ...
Product Security Engineer
Lehi, UT · On-site
$67.61 - $84.51/hr
You will work closely with internal engineering and security stakeholders to drive remediation and improve the bug bounty program's effectiveness. This is a contract engagement expected to backfill a ...
Product Security Engineer
Lehi, UT · On-site
$67.61 - $84.51/hr
You will work closely with internal engineering and security stakeholders to drive remediation and improve the bug bounty program's effectiveness. This is a contract engagement expected to backfill a ...
Product Security Engineer
Lehi, UT · On-site
We are seeking a Product Security Engineer to support our Bug Bounty program on a 6-month contract engagement, backfilling a team member on leave. You will be the frontline responder for external ...
Product Security Engineer
Lehi, UT · On-site
We are seeking a Product Security Engineer to support our Bug Bounty program on a 6-month contract engagement, backfilling a team member on leave. You will be the frontline responder for external ...
... Bug Bounty Hunter VirtualHackingLabs Advanced+ Optional: GXPN, GWAPT, GRID, GPEN, CISSP, CCNA, CEH Master, Security+ Key Responsibilities: * Develop and deliver training programs on ISSO, ISSM roles ...
... Bug Bounty Hunter VirtualHackingLabs Advanced+ Optional: GXPN, GWAPT, GRID, GPEN, CISSP, CCNA, CEH Master, Security+ Key Responsibilities: * Develop and deliver training programs on ISSO, ISSM roles ...
... Bug Bounty Hunter VirtualHackingLabs Advanced+ Optional: GXPN, GWAPT, GRID, GPEN, CISSP, CCNA, CEH Master, Security+ Key Responsibilities: * Develop and deliver training programs on ISSO, ISSM roles ...
Quick apply
... Bug Bounty Hunter VirtualHackingLabs Advanced+ Optional: GXPN, GWAPT, GRID, GPEN, CISSP, CCNA, CEH Master, Security+ Key Responsibilities: * Develop and deliver training programs on ISSO, ISSM roles ...
Drive governance for vulnerability findings from scanning tools, penetration tests, customer reviews, audits, and bug bounty programs, including risk adjustment, remediation ownership, escalation ...
Drive governance for vulnerability findings from scanning tools, penetration tests, customer reviews, audits, and bug bounty programs, including risk adjustment, remediation ownership, escalation ...
Bug Bounty Program information
What are some common challenges faced by professionals managing a Bug Bounty Program?
What are the key skills and qualifications needed to thrive as a Bug Bounty Program participant, and why are they important?
What is a Bug Bounty Program?
What is the difference between Bug Bounty Program vs Penetration Tester?
| Aspect | Bug Bounty Program | Penetration Tester |
|---|---|---|
| Credentials | Knowledge of security vulnerabilities, bug reporting skills | Certifications like OSCP, CEH, CISSP often preferred |
| Work Environment | Remote, project-based, crowdsourced | Consulting firms, in-house teams, on-site or remote |
| Industry Usage | Tech companies, startups, open security initiatives | Security firms, corporate security teams, government agencies |
| Search/Comparison Intent | Understanding crowdsourced bug finding vs professional testing | Comparing freelance or company-based security assessments |
The main difference is that Bug Bounty Programs are crowdsourced initiatives where individuals report vulnerabilities remotely, often without formal certifications. Penetration Testers are professionals with certifications who perform targeted security assessments, usually in a consulting or in-house setting. Both roles focus on identifying security flaws but differ in structure, credentials, and work environment.

Job description
Ursus, Inc. is a staffing agency representing a global leader in creative software, offering innovative tools for digital media creation, design, and marketing. They are seeking a Product Security Engineer to support their Bug Bounty program on a 6-month contract engagement, where the engineer will be responsible for triaging vulnerability reports and coordinating with internal teams for remediation.
Responsibilities:
• Triage incoming vulnerability reports submitted via the bug bounty platform, assessing validity, impact, and scope.
• Assign CVSS scores and severity ratings accurately, following internal severity guidelines and industry standards.
• Reproduce proof-of-concept (PoC) exploits to validate reported vulnerabilities across web, API, and mobile surfaces.
• Communicate clearly and professionally with external researchers: request clarifications, provide status updates, and manage expectations.
• Coordinate with product engineering teams to route confirmed vulnerabilities for remediation.
• Identify duplicate, out-of-scope, or informational reports and close them with clear, respectful explanations.
• Contribute to internal documentation, triage runbooks, and severity calibration guidelines.
• Flag systemic or critical findings to Bug Bounty team for escalation as needed.
Qualifications:
Required:
• 3+ years of experience in application security, penetration testing, or a bug bounty/vulnerability disclosure role.
• Strong understanding of CVSS v3.1 scoring and hands-on experience applying it to real-world vulnerabilities.
• Proficiency in common web vulnerability classes: XSS, SQL injection, SSRF, IDOR, authentication flaws, and business logic issues.
• Ability to reproduce and validate PoC exploits using tools such as Burp Suite, browser DevTools, curl, and custom scripts.
• Familiarity with bug bounty platforms (e.g., HackerOne, Bugcrowd) and responsible disclosure processes.
• Solid written communication skills — able to write clear, constructive responses to researchers of all skill levels.
• Familiarity with attacker techniques used by external researchers against LLM systems and generative AI products.
• Knowledge of application security vulnerabilities (OWASP Top 10) and mitigation techniques.
Preferred:
• Experience with cloud environments (AWS, Azure, GCP) and API security testing.
• Hands-on experience in penetration testing of AI/ML and LLM-powered products, including chat interfaces, agentic workflows, and inference APIs.
• Prior participation in bug bounty programs as a researcher.
• Familiarity with OWASP Top 10, CWE taxonomy, and CVE assignment processes.
• Background working within a large enterprise or SaaS security organization.
Company:
Ursus, Inc., has been recognized by Staffing Industry Analysts (SIA) for four consecutive years as the fastest-growing technical and creative staffing firm in the United States. Founded in 2015, the company is headquartered in San Francisco, USA, with a team of 201-500 employees. The company is currently Growth Stage.
About Ursus
Sourced by ZipRecruiter
Ursus is a recognized leader in providing technical and creative staffing solutions. Hyper - focused on you - ( the candidate, the client, the partner, the employee ) and how to make your engagement with us the best possible experience it can be while delivering results. Whether you are looking for your next career move, scaling a growing team, adding a trusted partner to your staffing program or completing a project, we’re here for U!
Industry
Recruiting and staffing services
Company size
11 - 50 Employees
Headquarters location
Morgan Hill, CA, US
Year founded
2015