1

Bug Bounty Jobs (NOW HIRING)

Senior Security Engineer

$117K - $160K/yr

... bug bounty, third-party pentests, and cloud security posture scans. • Mentor security analysts and security champions on cloud security best practices and techniques. Qualifications : Required ...

Senior Product Security Engineer

$117K - $160K/yr

Contribute to our vulnerability management program, including triaging bug bounty and vulnerability disclosure reports and driving remediation efforts. * Security Automation : Develop and implement ...

Experience in Red Teaming and bug bounty programs preferred Ideal Candidate: * 5-8 years of security testing experience * Proven ability to mentor teams and implement enterprise security solutions

About the Role: We're looking for a Security Engineer who is equally at home hardening a CI/CD pipeline, reviewing a change to the authentication system on the backend, and triaging a bug bounty ...

AppSec SME

$60.25 - $80.25/hr

Monitor and track the Bug bounty vulnerabilities and remediation closure * Track the coverage of the network and application penetration testing * Validation of Vulnerabilities for false positive ...

Software Engineer

San Francisco, CA · On-site

$150K - $300K/yr

About Us * CEO Jack Cable is a top-ranked bug bounty hunter who previously led Secure by Design at CISA. * CTO Ashwin Ramaswami is an engineer who has built large-scale systems at Skiff, Caldera, and ...

next page

Showing results 1-20

Bug Bounty information

See salary details

$12

$20

$25

How much do bug bounty jobs pay per hour?

As of Jul 14, 2026, the average hourly pay for bug bounty in the United States is $20.98, according to ZipRecruiter salary data. Most workers in this role earn between $17.31 and $22.12 per hour, depending on experience, location, and employer.

What are the typical daily responsibilities of someone participating in bug bounty programs?

As a bug bounty professional, your daily activities often involve researching target applications, actively probing for vulnerabilities using automated tools and manual techniques, and documenting your findings in detailed reports. You may spend significant time reproducing and validating security issues before responsibly disclosing them to the organization via official bug bounty platforms. Collaboration is usually asynchronous, with occasional interactions with in-house security teams for clarification or follow-up on reported issues. Managing your workflow and keeping up with evolving security trends are also essential parts of the job, ensuring your findings remain thorough and relevant.

Is AI killing bug bounty?

AI is transforming bug bounty programs by automating vulnerability detection and analysis, which can reduce the number of low-level reports but also enhances the efficiency of security researchers. Bug bounty hunters need to adapt by developing skills in AI and machine learning tools to stay effective in identifying complex security flaws.

How do I get into bug bounty?

To get into bug bounty hunting, develop skills in web security, programming, and vulnerability assessment using tools like Burp Suite or OWASP ZAP. Start by participating in platforms such as HackerOne or Bugcrowd, and build a portfolio of discovered bugs to demonstrate your expertise. Continuous learning and practice are essential to succeed in this field.

What are the key skills and qualifications needed to thrive in the Bug Bounty position, and why are they important?

To thrive as a Bug Bounty professional, you need a strong understanding of web application security, programming languages, and vulnerability assessment methodologies. Familiarity with tools such as Burp Suite, OWASP ZAP, and various penetration testing frameworks, as well as certifications like OSCP or CEH, is highly valued. Persistence, attention to detail, and effective written communication are essential soft skills in this role. These competencies enable professionals to discover, document, and report security flaws accurately, helping organizations improve their cyber defenses.

What is a Bug Bounty job?

A Bug Bounty job involves finding and reporting security vulnerabilities in software, websites, or systems in exchange for monetary rewards. Companies run bug bounty programs to leverage ethical hackers' skills in identifying potential threats before malicious hackers can exploit them. Bug bounty hunters typically work as independent security researchers and submit vulnerability reports to organizations through platforms like HackerOne, Bugcrowd, or Synack. Payments vary based on the severity of the discovered flaw, with critical vulnerabilities earning the highest rewards.

Can bug bounty be a career?

Yes, bug bounty hunting can be a career for cybersecurity professionals, ethical hackers, and security researchers. Many organizations and platforms offer paid bug bounty programs, allowing individuals to earn income by identifying security vulnerabilities. Success in this field often requires skills in web security, programming, and familiarity with bug bounty platforms like HackerOne or Bugcrowd.

How much does a bug bounty make?

Bug bounty hunters can earn from a few hundred to over $100,000 per bug, depending on the severity and impact of the vulnerability found. Earnings vary widely based on the program, the complexity of the bug, and the hunter's skills, with top performers often earning six-figure sums annually. Successful bug bounty hunters typically have strong cybersecurity skills and familiarity with bug bounty platforms like HackerOne or Bugcrowd.
More about Bug Bounty jobs
What cities are hiring for Bug Bounty jobs? Cities with the most Bug Bounty job openings:
What are the most commonly searched types of Bug Bounty jobs? The most popular types of Bug Bounty jobs are:
What states have the most Bug Bounty jobs? States with the most job openings for Bug Bounty jobs include:
Infographic showing various Bug Bounty job openings in the United States as of July 2026, with employment types broken down into 80% Full Time, and 20% Contract. Highlights an 60% In-person, and 40% Remote job distribution, with an average salary of $43,637 per year, or $21 per hour.

Senior Application Security & DevSecOps Engineer

MrBeast

Chicago, IL • On-site

$60.50 - $80.75/hr

Full-time

Medical, Dental, Vision, Life, Retirement, PTO

Re-posted 7 days ago


Job description

About Us
Beast Industries is a multifaceted media and entertainment company founded by Jimmy Donaldson, popularly known as MrBeast, the most watched person in the world. Renowned for revolutionizing digital content creation, Beast Industries encompasses a diverse portfolio of ventures that extend far beyond its origins on YouTube. With a mission to entertain, inspire, and create significant social impact, Beast Industries operates across various domains including digital media, philanthropy, consumer products, and innovative business initiatives. At Beast Industries, we believe in the transformative power of digital media and its potential to entertain, educate, and effect positive change. Our commitment to innovation, creativity, and philanthropy drives us to explore new frontiers, create unforgettable experiences, and build a legacy that inspires future generations.
Location: (On-site / Hybrid / Remote - NY, Bay Area, Chicago, Greenville)
Department: Technology
About The Role
This is a hands-on Application Security role, not a generalist security position. As Senior Application Security & DevSecOps Engineer, you will own the security of our web and mobile applications and the APIs behind them - finding the vulnerabilities before anyone else does, running our offensive testing and bug bounty programs, and building security into the pipelines that ship our code.
You'll work close to the code. Our stack is heavily automated and developer-centric: a custom DSL layer governs how code reaches production, translating into Kubernetes and Terraform deployment tasks, and our backend leans on Kotlin and Gradle. You should be able to read and reason about production code, write your own tooling, and own the security of the build and release process end to end - not hand the hard parts to DevOps.
If you think like an attacker, are fluent in mobile and API internals, and want to own AppSec for products that millions of people use, this role is for you.
What You'll Do
Application Security (core)
  • Lead secure code review and threat modeling for web, mobile, and API surfaces, and drive secure-by-design practices with engineering teams.
  • Own the application vulnerability lifecycle - discovery, triage, severity, remediation guidance, and verification - and partner with engineers on durable fixes, not just findings.
  • Build internal AppSec tooling and lightweight security libraries that make the secure path the easy path for developers.
Mobile Application Security
  • Own security for our iOS and Android apps: secure local storage (Keychain / Keystore), certificate pinning, jailbreak/root and tampering detection, anti-reverse-engineering, and secure app-to-API communication.
  • Assess apps against OWASP MASVS / MASTG, and review third-party SDKs and dependencies for risk.
  • Perform mobile-focused testing with tooling such as Frida, objection, MobSF, Burp Suite, and static/dynamic RE tools.
Offensive Security & Penetration Testing
  • Run internal penetration tests and red-team-style assessments against our apps, APIs, and supporting services.
  • Validate and weaponize findings to demonstrate real impact, then drive them to resolution.
  • Pressure-test authentication, authorization, session handling, and business-logic flows (OAuth/OIDC, GraphQL/REST, IDOR, privilege escalation).
Bug Bounty Program
  • Own and operate our bug bounty program (e.g., HackerOne / Bugcrowd): scope definition, researcher communication, triage, deduplication, severity, and payout coordination.
  • Close the loop by feeding bounty findings back into secure code review, threat models, and CI/CD checks so the same class of bug doesn't recur.
  • Track program health and report on trends, top vulnerability classes, and time-to-fix.
CI/CD & Pipeline Security
  • Own the security posture of our CI/CD pipelines and deployment toolchain, including the custom DSL that translates to Kubernetes and Terraform.
  • Integrate and tune SAST, DAST, and dependency/SCA scanning (e.g., Semgrep, CodeQL) as meaningful, low-noise gates in GitHub Actions.
  • Implement secrets scanning, build/release integrity, artifact signing, and supply-chain controls (SBOMs, provenance).
  • Drive a security-focused cleanup of existing pipelines and automate the manual, one-off deployment steps that exist today.
What You Bring
Required Experience
  • 8+ years focused on Application Security and/or offensive security (penetration testing, exploit development).
  • Strong software-development skills - you can read, write, and review production code rather than just operating tools. Experience with Kotlin and Gradle (and/or Swift/Android for mobile) is highly relevant to our stack; Python for automation and custom tooling.
  • Deep mobile application security expertise across iOS and Android: OWASP MASVS/MASTG, cert pinning, secure storage, anti-tampering/RE, and mobile testing tooling (Frida, objection, MobSF, Burp).
  • Hands-on penetration testing of web apps, mobile apps, and APIs, with the ability to demonstrate real exploitability.
  • API security depth - OAuth/OIDC, REST and GraphQL, authn/authz and business-logic flaws.
  • CI/CD security experience with GitHub Actions, including SAST/DAST/SCA integration, secrets scanning, and securing the build/release pipeline.
  • Strong security fundamentals, including applied cryptography - a clear command of certificates and PKI, encryption vs. key management, and where HSMs fit.
Strongly Preferred
  • Experience running or scaling a bug bounty / VDP program (HackerOne, Bugcrowd, or similar).
  • Offensive security certifications (OSCP, OSWE, GMOB, or equivalent demonstrated skill).
  • Experience securing consumer fintech/Gaming/Reels apps and the regulatory expectations that come with handling user funds and data for teens and their subscriptions.
  • Software-supply-chain security experience (SBOMs, artifact signing, provenance).
  • Reverse engineering / binary analysis (Ghidra, Hopper, IDA).
What Success Looks Like
  • Critical and high-severity application vulnerabilities are found internally - by you and your tooling - before they reach users or external researchers.
  • Our mobile apps meet a defined, measurable security bar across iOS and Android.
  • The bug bounty program is well-run, fairly triaged, and consistently feeds improvements back into the SDLC.
  • Every meaningful change ships through CI/CD with security checks that engineers trust because they're accurate, not noisy.
  • Manual, one-off deployment steps are automated away, and the build/release path is hardened end to end.
Why This Role Is Different
  • You'll own application security for products used by millions - not review tickets for a generic security backlog.
  • You'll work close to the code in a Kotlin/Gradle, highly automated stack where AppSec and software engineering are the same discipline.
  • You'll run real offensive testing and a real bug bounty program, then turn those findings into lasting fixes.
  • You'll operate at the intersection of Application Security, Offensive Security, and CI/CD - and build the systems, not just audit them.

Benefits
The Perks, Why Work On the MrBeast Team
We are redefining what entertainment and storytelling look like at global scale. Every piece of content we publish reaches millions and influences culture in real time. This is your opportunity to lead the team that decides how those moments come to life across every screen.
  • Competitive Salary
  • Generous Medical (Blue Cross Blue Shield), Dental, Vision and company-paid Life Insurance
  • Company contributions to employee Health Savings Accounts (HSA)
  • 401k Plan with Safe Harbor company-matching
  • Flexible vacation policy and paid company holidays
  • Company-provided technology package
  • Relocation assistance where applicable, including travel and company-provided housing for the first 90 days