ZipRecruiter

Log In

1

Bug Bounty Program Jobs (NOW HIRING)

Outreach

Technical Program Manager - Security

$132K - $160K/yr

... Bug Bounty Program • Familiar with security tooling and system integrations • Experience leading an External Penetration Test end-to-end, by managing the vendor, defining and prioritizing the ...

Merge

Head of Security

Manhattan, NY · On-site

... Bug Bounty Program • Implement security controls across Merge, from infrastructure to CI • Implement and run manual and automated security practices to mitigate vulnerabilities • Assist with ...

Polymarket

Application Security Engineer

New York, NY · On-site

$180K - $250K/yr

Manage the external penetration testing program and own the bug bounty program end-to-end: triage, severity calibration, researcher communication, and payout coordination * Track and drive ...

Landry's

Senior Cybersecurity Engineer

Houston, TX · On-site

$109K - $149K/yr

... the bug bounty and responsible disclosure program, including vulnerability triage and researcher communications. • Evaluate AI-powered tools and agentic AI platforms from a security perspective ...

MM International

Penetration Tester

San Francisco, CA · On-site

Experience in Red Teaming and bug bounty programs preferred Ideal Candidate: * 5-8 years of security testing experience * Proven ability to mentor teams and implement enterprise security solutions

MoonPay

Senior Security Engineer - Automation

$117K - $160K/yr

We actively manage our Bug Bounty program, ensuring swift response and remediation, and leverage cutting-edge tools like Cloudflare's WAF to build robust defenses. We offer an extensive number of ...

MoonPay

Senior Security Engineer - Automation

OR · Remote

$117K - $160K/yr

We actively manage our Bug Bounty program, ensuring swift response and remediation, and leverage cutting-edge tools like Cloudflare's WAF to build robust defenses. We offer an extensive number of ...

MoonPay

Senior Security Engineer - Automation

New York, NY

$125K - $171K/yr

We actively manage our Bug Bounty program, ensuring swift response and remediation, and leverage cutting-edge tools like Cloudflare's WAF to build robust defenses. We offer an extensive number of ...

Replit

SOC Engineer

Foster City, CA · On-site

$180K - $250K/yr

Experience working with bug bounty programs or coordinated vulnerability disclosure workflows. * Experience in fast-paced, cloud-native, or AI/ML-driven environments. What We Value * Curiosity ...

Merge API

Head of Security

San Francisco, CA · On-site

$240K - $280K/yr

Manage our Bug Bounty Program * Implement security controls across Merge, from infrastructure to CI * Implement and run manual and automated security practices to mitigate vulnerabilities * Assist ...

Landry's, LLC.

Senior Cybersecurity Engineer

Houston, TX · On-site

$105K - $145K/yr

Provide application security guidance and support the bug bounty and responsible disclosure program, including vulnerability triage and researcher communications. * Evaluate AI-powered tools and ...

Target

Lead Engineer, Penetration Tester

Minneapolis, MN · On-site

$132K - $238K/yr

Review and triage submissions from the Bug Bounty program; escalate critical findings to appropriate teams and help drive remediation * Contribute to threat modeling activities, providing expert ...

next page

Showing results 1-20

People also search for

All JobsBug Bounty Program Jobs

Bug Bounty Program information

See salary details

$16

$49

$78

How much do bug bounty program jobs pay per hour?

As of Jun 5, 2026, the average hourly pay for bug bounty program in the United States is $49.60, according to ZipRecruiter salary data. Most workers in this role earn between $31.73 and $66.83 per hour, depending on experience, location, and employer.

What are some common challenges faced by professionals managing a Bug Bounty Program?

Professionals overseeing a Bug Bounty Program often encounter challenges such as efficiently triaging a high volume of vulnerability reports, ensuring clear communication with security researchers, and balancing quick response times with thorough investigation. Additionally, maintaining strong relationships with both internal development teams and external participants is crucial for program success. Staying updated on evolving security threats and continually refining program policies are ongoing responsibilities that require adaptability and collaboration.

What are the key skills and qualifications needed to thrive as a Bug Bounty Program participant, and why are they important?

To excel in a Bug Bounty Program, you need strong knowledge of cybersecurity fundamentals, vulnerability assessment, and web or software exploitation techniques, often backed by practical experience or certifications like OSCP or CEH. Familiarity with tools such as Burp Suite, Nmap, and Metasploit, as well as bug bounty platforms like HackerOne or Bugcrowd, is typically required. Critical thinking, persistence, and clear written communication are crucial soft skills for effectively identifying vulnerabilities and reporting them to organizations. These skills ensure you can discover security flaws efficiently, responsibly disclose them, and build a positive reputation in the cybersecurity community.

What is a Bug Bounty Program?

A Bug Bounty Program is an initiative offered by organizations that invites ethical hackers and security researchers to identify and report vulnerabilities in the company’s software, websites, or systems. Participants are typically rewarded with monetary compensation, recognition, or other incentives based on the severity of the bugs they find. These programs help organizations strengthen their security by leveraging the broader cybersecurity community, thus identifying issues before malicious hackers can exploit them. Bug bounty programs are widely used by tech companies to enhance security and build trust with users.

What is the difference between Bug Bounty Program vs Penetration Tester?

AspectBug Bounty ProgramPenetration Tester
CredentialsKnowledge of security vulnerabilities, bug reporting skillsCertifications like OSCP, CEH, CISSP often preferred
Work EnvironmentRemote, project-based, crowdsourcedConsulting firms, in-house teams, on-site or remote
Industry UsageTech companies, startups, open security initiativesSecurity firms, corporate security teams, government agencies
Search/Comparison IntentUnderstanding crowdsourced bug finding vs professional testingComparing freelance or company-based security assessments

The main difference is that Bug Bounty Programs are crowdsourced initiatives where individuals report vulnerabilities remotely, often without formal certifications. Penetration Testers are professionals with certifications who perform targeted security assessments, usually in a consulting or in-house setting. Both roles focus on identifying security flaws but differ in structure, credentials, and work environment.

More about Bug Bounty Program jobs
What cities are hiring for Bug Bounty Program jobs? Cities with the most Bug Bounty Program job openings:
What are the most commonly searched types of Bug Bounty Program jobs? The most popular types of Bug Bounty Program jobs are:
What states have the most Bug Bounty Program jobs? States with the most job openings for Bug Bounty Program jobs include:
What job categories do people searching Bug Bounty Program jobs look for? The top searched job categories for Bug Bounty Program jobs are:
Bug Bounty Program jobs near you
Senior Application Security Engineer (Offensive / Red Team)

Senior Application Security Engineer (Offensive / Red Team)

shutterfly

Remote

$117K - $160K/yr

Full-time

Medical, Retirement

Posted yesterday

Shutterfly rating

6.4

Company rating: 6.4 out of 10

Based on 41 frontline employees who took The Breakroom Quiz

257th of 713 rated retailers

Job description

Description
At Shutterfly, we make life's experiences unforgettable. We believe there is extraordinary power in the self-expression. That's why our family of brands helps customers create products and capture moments that reflect who they uniquely are.
This is an exciting time for Shutterfly, and we are looking for a Senior Application Security Engineer (Offensive / Red Team) to join our team. In this role you will help shape an evolving offensive security practice, leading Red Team engagements against Shutterfly's critical applications while partnering closely with our Blue Team throughout each engagement to produce Purple Team outcomes - stronger detections, faster response, and measurably improved defenses. We're looking for someone who is as passionate about uncovering and exploiting a vulnerability as they are about working alongside defenders to make sure it can be detected, contained, and remediated. Just as important, you'll partner with developers and engineering teams to educate them on how to prevent and avoid vulnerabilities in the first place, and guide them on how to fix issues once identified. Your focus will be on building an offensive security capability that strengthens the entire security program, with collaboration between offense, defense, and engineering at its core.
Note: We are unable to provide any visa sponsorship for this position at this time.
What You'll Do Here:
  • Red Team Operations: Plan and lead offensive engagements against Shutterfly's applications and supporting infrastructure using established offensive and testing techniques - manual web penetration testing, exploitation, fuzzing, and adversary emulation supported by industry-standard offensive tooling - and coordinate with third-party testers when engagements call for it.
  • Purple Team Collaboration: Work hand-in-hand with the Blue Team throughout every engagement. Share tactics, techniques, and procedures in real time, validate and improve detection and alerting coverage, run collaborative exercises, and convert offensive findings into concrete defensive improvements.
  • AI-Driven Offensive Security: Augment conventional offensive techniques with AI and LLM-based tooling to accelerate and extend offensive and testing work - reconnaissance, payload and test-case generation, code and configuration review, and exploitation.
  • Maintain a working understanding of how threat actors are weaponizing AI, and fold that knowledge into engagements and defensive recommendations to keep pace with a rapidly changing threat landscape.
  • Bug Bounty Program Management: Manage the bug bounty program end to end - triage, impact assessment, risk scoring (CVSS), locating vulnerable code, providing mitigation guidance, thorough re-testing, and refining program policy and scope as needed.
  • Vulnerability Management: Identify, triage, and drive remediation of application vulnerabilities through manual testing and exploitation, escalating systemic issues to the appropriate engineering teams.
  • Threat Modeling & Risk Assessment: Lead threat modeling exercises and perform risk assessments for new and existing applications, using offensive insight to prioritize the risks that matter most.
  • Incident Response: Collaborate with incident response and Blue Team partners to investigate application-related security incidents, applying offensive expertise to scope, reproduce, and understand attacker activity.
  • Secure SDLC: Help define and reinforce secure development practices, including code reviews and integration of security checks into the CI/CD pipeline.
  • Code Review: Perform and lead security reviews of critical PRs and code changes, and review code in most major languages.
  • Security Architecture & Design: Partner with engineering and architecture teams to advise on secure systems and applications design, ensuring security is built in from the ground up.
  • Subject Matter Expertise: Serve as a top technical resource to engineers across the organization. Help them reproduce vulnerabilities, understand impact, document issues, and validate the effectiveness of fixes.
  • Mentorship & Leadership: Mentor junior security engineers and developers on offensive techniques, secure coding practices, and security principles. Build relationships with stakeholders and business leaders across the organization.
  • Cross-Functional Collaboration: Work closely with product, engineering, DevOps, defensive security, and compliance teams to align security with business goals.
  • Continuous Improvement: Maintain up-to-date knowledge of relevant offensive techniques, threats, mitigations, security best practices, and the evolving role of AI in both offensive operations and adversary activity.
  • Security Tooling: Make effective use of the existing security tooling stack (e.g., SAST, SCA, DAST, IAST) to support offensive and defensive work.

Required Qualifications:
  • Bachelor's degree in computer science, cybersecurity, or a related technical field, or comparable hands-on experience in lieu of a degree.
  • Demonstrated experience leading or performing offensive security work, such as web application penetration testing or Red Team engagements, with hands-on proficiency in conventional offensive and testing techniques and industry-standard offensive tooling.
    Hands-on experience using AI/LLM tools for offensive security or testing, with an understanding of how threat actors are leveraging AI in a rapidly evolving threat landscape.
  • Proficient in one modern programming language (preferably Java) and able to review code in most major languages.
  • Strong analytical and problem-solving abilities with a risk-based security approach.
  • Advanced user of Burp Suite Pro; bonus if you have created custom extensions in Java or Python or have used or modified existing extensions.
  • Excellent communication and collaboration skills, with the ability to work across offensive and defensive teams, IT, engineering, and business stakeholders.

Preferred Qualifications:
  • Experience running Purple Team exercises or otherwise collaborating directly with defensive/Blue Team functions to improve detection and response.
  • Full stack web development experience within an active security program.
  • Experience managing a bug bounty program.
  • A security certification that demonstrates proficiency in offensive security, network/web/mobile/AD assessments, secure coding, and professional report creation (for example: OSCP, OSEP, CRTO, OSWA, OSWE, GWAPT, GWEB).
  • Submitted reports to bug bounty programs or VDPs, and you've found a CVE along the way.
  • Strong command-line and scripting skills (bash, zsh, Python) on Linux and Mac.
  • Enjoy attending security conferences and occasionally participate in CTFs.
  • Spend time on cyber security training platforms (HackTheBox, TryHackMe).
  • Have worked with engineering teams to develop secure code libraries.
  • Capable of rapidly learning and integrating emerging tools and platforms with minimal supervision.

Supporting a diverse and inclusive workforce is important to Shutterfly not only because it directly reflects our value of Embracing our Differences, but also because it's the right thing to do for our business and for our people. We welcome all applicants and evaluate them based on their qualifications. Learn more about our commitment to Diversity, Equity, and Inclusion on our Career Site.
The compensation package for this role is based on multiple factors, such as job level, responsibilities, location, and candidate experience. The base pay ranges included below are specific to the locations listed, and may not be applicable to other locations.
California : [$128,000-181,250]
Connecticut and New York: [$128,000-165,750]
Colorado, Illinois, Minnesota and Washington: [$128,000-153,000]
Nevada: [$120,250-165,750]
Maryland and New Jersey: [$138,250-165,750]
Hawaii : [$120,250-144,750]
This position may be eligible for a bonus incentive, health benefits, a 401K program, and other employee perks. More details about our company benefits can be found at https://shutterflyinc.com/benefits/.
This opportunity can be remote, but candidates must reside in a state in which Shutterfly is registered to do business. This includes all US states except District of Columbia, North Dakota, Mississippi, Rhode Island, Vermont, and Wyoming.
This position will accept applications on an ongoing basis until filled.
#SFLYTechnology

What Shutterfly employees say

Pay

Benefits

Hours and flexibility

Workplace

Get the full story on Breakroom

Apply