Security Engineer
New York, NY · On-site
About the Role: We're looking for a Security Engineer who is equally at home hardening a CI/CD pipeline, reviewing a change to the authentication system on the backend, and triaging a bug bounty ...
Security Engineer
New York, NY · On-site
About the Role: We're looking for a Security Engineer who is equally at home hardening a CI/CD pipeline, reviewing a change to the authentication system on the backend, and triaging a bug bounty ...
Lead the overall Security Product Engineering, Bug Bounty and Mythos era Vulnerability Management direction and roadmap execution. * Coach and mentor highly skilled engineers as a "player-coach ...
Lead the overall Security Product Engineering, Bug Bounty and Mythos era Vulnerability Management direction and roadmap execution. * Coach and mentor highly skilled engineers as a "player-coach ...
... bug bounty and vulnerability disclosure program, including intake, triage, prioritization, and remediation tracking. • Partner with product and engineering teams to threat model new features and ...
... bug bounty and vulnerability disclosure program, including intake, triage, prioritization, and remediation tracking. • Partner with product and engineering teams to threat model new features and ...
General Application
San Francisco, CA · On-site
Collectively, we've led security at some of the world's largest companies and published AI research at Stanford. * CEO Jack Cable is a top-ranked bug bounty hunter who previously led Secure by Design ...
General Application
San Francisco, CA · On-site
Collectively, we've led security at some of the world's largest companies and published AI research at Stanford. * CEO Jack Cable is a top-ranked bug bounty hunter who previously led Secure by Design ...
AppSec SME
$60.25 - $80.25/hr
Monitor and track the Bug bounty vulnerabilities and remediation closure * Track the coverage of the network and application penetration testing * Validation of Vulnerabilities for false positive ...
AppSec SME
$60.25 - $80.25/hr
Monitor and track the Bug bounty vulnerabilities and remediation closure * Track the coverage of the network and application penetration testing * Validation of Vulnerabilities for false positive ...
You will combine hands-on technical leadership with people management, overseeing programs that include subcomponents of Apple's bug bounty program, proactive vulnerability discovery, WAF rule ...
You will combine hands-on technical leadership with people management, overseeing programs that include subcomponents of Apple's bug bounty program, proactive vulnerability discovery, WAF rule ...
Software Engineer
San Francisco, CA · On-site
About Us * CEO Jack Cable is a top-ranked bug bounty hunter who previously led Secure by Design at CISA. * CTO Ashwin Ramaswami is an engineer who has built large-scale systems at Skiff, Caldera, and ...
Software Engineer
San Francisco, CA · On-site
About Us * CEO Jack Cable is a top-ranked bug bounty hunter who previously led Secure by Design at CISA. * CTO Ashwin Ramaswami is an engineer who has built large-scale systems at Skiff, Caldera, and ...
Senior Product Security Engineer
San Francisco, CA · On-site
$134K - $185K/yr
Shape Persona's presence in the security research community - running the bug bounty program that powers it Must-haves * 6+ years of software engineering experience * 3+ years in product security
New
Senior Product Security Engineer
San Francisco, CA · On-site
$134K - $185K/yr
Shape Persona's presence in the security research community - running the bug bounty program that powers it Must-haves * 6+ years of software engineering experience * 3+ years in product security
New
Lead and administer the HackerOne bug bounty and vulnerability disclosure program and collaborate with engineering team to remediate critical vulnerabilities, preventing security breaches. Work with ...
Lead and administer the HackerOne bug bounty and vulnerability disclosure program and collaborate with engineering team to remediate critical vulnerabilities, preventing security breaches. Work with ...
HackTheBox Certified Active Directory Pentesting Expert HackTheBox Certified Penetration Testing Specialist HackTheBox Certified Bug Bounty Hunter VirtualHackingLabs Advanced+ Optional: GXPN, GWAPT ...
Quick apply
HackTheBox Certified Active Directory Pentesting Expert HackTheBox Certified Penetration Testing Specialist HackTheBox Certified Bug Bounty Hunter VirtualHackingLabs Advanced+ Optional: GXPN, GWAPT ...
Shape Persona's presence in the security research community - running the bug bounty program that powers it Must-haves * 4+ years of software engineering experience * 2+ years in product security
New
Shape Persona's presence in the security research community - running the bug bounty program that powers it Must-haves * 4+ years of software engineering experience * 2+ years in product security
New
Penetration Testing & Bug Bounty: Manage our HackerOne engagement - coordinating pentests, triaging incoming bug bounty reports, and driving remediation. * Product Security: Audit application code ...
Penetration Testing & Bug Bounty: Manage our HackerOne engagement - coordinating pentests, triaging incoming bug bounty reports, and driving remediation. * Product Security: Audit application code ...
Senior Application Security Engineer
San Francisco, CA · On-site +1
$160K - $240K/yr
Validate, triage, and coordinate security findings from bug bounty and third party pentests. * Mentor security analysts and security champions on security best practices and techniques.
Senior Application Security Engineer
San Francisco, CA · On-site +1
$160K - $240K/yr
Validate, triage, and coordinate security findings from bug bounty and third party pentests. * Mentor security analysts and security champions on security best practices and techniques.
Software Engineer
San Francisco, CA · On-site
About Us * CEO Jack Cable is a top-ranked bug bounty hunter who previously led Secure by Design at CISA. * CTO Ashwin Ramaswami is an engineer who has built large-scale systems at Skiff, Caldera, and ...
Software Engineer
San Francisco, CA · On-site
About Us * CEO Jack Cable is a top-ranked bug bounty hunter who previously led Secure by Design at CISA. * CTO Ashwin Ramaswami is an engineer who has built large-scale systems at Skiff, Caldera, and ...
... Bug Bounty Hunter (HTB CBBH) or Certified Red Team Operator (CRTO) from Zero Point Security or Certified Red Team Lead (CRTL) from Zero Point Security or Practical Network Penetration Tester (PNPT ...
... Bug Bounty Hunter (HTB CBBH) or Certified Red Team Operator (CRTO) from Zero Point Security or Certified Red Team Lead (CRTL) from Zero Point Security or Practical Network Penetration Tester (PNPT ...
HackTheBox Certified Active Directory Pentesting Expert HackTheBox Certified Penetration Testing Specialist HackTheBox Certified Bug Bounty Hunter VirtualHackingLabs Advanced+ Optional: GXPN, GWAPT ...
Quick apply
HackTheBox Certified Active Directory Pentesting Expert HackTheBox Certified Penetration Testing Specialist HackTheBox Certified Bug Bounty Hunter VirtualHackingLabs Advanced+ Optional: GXPN, GWAPT ...
You will combine hands-on technical leadership with people management, overseeing programs that include subcomponents of Apple's bug bounty program, proactive vulnerability discovery, WAF rule ...
You will combine hands-on technical leadership with people management, overseeing programs that include subcomponents of Apple's bug bounty program, proactive vulnerability discovery, WAF rule ...
You will combine hands-on technical leadership with people management, overseeing programs that include subcomponents of Apple's bug bounty program, proactive vulnerability discovery, WAF rule ...
You will combine hands-on technical leadership with people management, overseeing programs that include subcomponents of Apple's bug bounty program, proactive vulnerability discovery, WAF rule ...
CNO Developer
$129K - $177K/yr
Desire to contribute to CTF events, bug bounty programs, and speaking at the security conferences * Rapid Prototype Software Development Security Clearance: * Active TS/SCI level clearance. Must be ...
CNO Developer
$129K - $177K/yr
Desire to contribute to CTF events, bug bounty programs, and speaking at the security conferences * Rapid Prototype Software Development Security Clearance: * Active TS/SCI level clearance. Must be ...
CNO Developer
Chantilly, VA · On-site
$130K - $178K/yr
... events, bug bounty programs, and speaking at the security conferences • Rapid Prototype Software Development Company : Accenture Federal Services is a leading US federal services company and ...
CNO Developer
Chantilly, VA · On-site
$130K - $178K/yr
... events, bug bounty programs, and speaking at the security conferences • Rapid Prototype Software Development Company : Accenture Federal Services is a leading US federal services company and ...
Bug Bounty information
See salary details
$12.98 - $14.16
2% of jobs
$14.16 - $15.34
4% of jobs
$15.34 - $16.52
7% of jobs
$17.55 is the 25th percentile. Wages below this are outliers.
$16.52 - $17.70
13% of jobs
$17.70 - $18.88
19% of jobs
The median wage is $19.22 / hr.
$18.88 - $20.06
15% of jobs
$20.06 - $21.24
12% of jobs
$21.54 is the 75th percentile. Wages above this are outliers.
$21.24 - $22.42
11% of jobs
$22.42 - $23.60
9% of jobs
$23.60 - $24.78
7% of jobs
$24.78 - $25.96
1% of jobs
$12
$20
$25
How much do bug bounty jobs pay per hour?
As of Jun 23, 2026, the average hourly pay for bug bounty in the United States is $20.98, according to ZipRecruiter salary data. Most workers in this role earn between $17.31 and $22.12 per hour, depending on experience, location, and employer.
What does bug mean?
In the context of a bug bounty role, a bug refers to a security vulnerability or flaw in software or a website that could be exploited by attackers. Bug bounty programs reward security researchers for identifying and responsibly reporting these issues, often requiring skills in testing, analysis, and familiarity with tools like penetration testing frameworks.
What are the typical daily responsibilities of someone participating in bug bounty programs?
As a bug bounty professional, your daily activities often involve researching target applications, actively probing for vulnerabilities using automated tools and manual techniques, and documenting your findings in detailed reports. You may spend significant time reproducing and validating security issues before responsibly disclosing them to the organization via official bug bounty platforms. Collaboration is usually asynchronous, with occasional interactions with in-house security teams for clarification or follow-up on reported issues. Managing your workflow and keeping up with evolving security trends are also essential parts of the job, ensuring your findings remain thorough and relevant.
Is the movie bug worth watching?
The term 'bug' in a job context typically refers to security vulnerabilities identified during bug bounty programs. If you are interested in cybersecurity or bug bounty hunting, watching related movies can provide entertainment but may not offer practical skills. For job seekers, gaining hands-on experience with tools like Burp Suite or participating in bug bounty platforms is more valuable than movies about bugs.
What does bug mean in slang?
In slang, a 'bug' often refers to a hidden listening device or surveillance tool. In the context of bug bounty roles, it can also mean identifying software vulnerabilities or security flaws in applications or systems. Understanding this slang helps security professionals communicate effectively during penetration testing and vulnerability assessments.
What are the key skills and qualifications needed to thrive in the Bug Bounty position, and why are they important?
To thrive as a Bug Bounty professional, you need a strong understanding of web application security, programming languages, and vulnerability assessment methodologies. Familiarity with tools such as Burp Suite, OWASP ZAP, and various penetration testing frameworks, as well as certifications like OSCP or CEH, is highly valued. Persistence, attention to detail, and effective written communication are essential soft skills in this role. These competencies enable professionals to discover, document, and report security flaws accurately, helping organizations improve their cyber defenses.
What is a Bug Bounty job?
A Bug Bounty job involves finding and reporting security vulnerabilities in software, websites, or systems in exchange for monetary rewards. Companies run bug bounty programs to leverage ethical hackers' skills in identifying potential threats before malicious hackers can exploit them. Bug bounty hunters typically work as independent security researchers and submit vulnerability reports to organizations through platforms like HackerOne, Bugcrowd, or Synack. Payments vary based on the severity of the discovered flaw, with critical vulnerabilities earning the highest rewards.
What cleaners do bugs hate?
In bug bounty work, bugs are computer vulnerabilities, not insects, so cleaners are not relevant. However, in cybersecurity, certain cleaning tools like malware removal software can help eliminate malicious code, but they do not 'hate' cleaners. The focus is on identifying and fixing security flaws rather than cleaning products.
More about Bug Bounty jobs
What cities are hiring for Bug Bounty jobs? Cities with the most Bug Bounty job openings:
What are the most commonly searched types of Bug Bounty jobs? The most popular types of Bug Bounty jobs are:
What states have the most Bug Bounty jobs? States with the most job openings for Bug Bounty jobs include:
What job categories do people searching Bug Bounty jobs look for? The top searched job categories for Bug Bounty jobs are:
Full-time
This job post has expired today. Applications are no longer accepted.
Job description
About the Role:
We're looking for a Security Engineer who is equally at home hardening a CI/CD pipeline, reviewing a change to the authentication system on the backend, and triaging a bug bounty submission before lunch.This is a hands-on, builder-first role - not a governance checkbox. You'll own security operations end-to-end, embedded directly into the engineering team and working closely with infrastructure, protocol and platform.
If you treat threat modeling as a design conversation and not a compliance exercise, you're our kind of person. You should only apply for this role if you are ready to come into the office every day and work in person with our team!
What You'll Do:
Security Operations
Own day-to-day security operations: monitoring, alerting, triage, and response
Manage and monitor endpoint security via an EDR system - tune detections, investigate alerts, and drive incidents to resolution
Lead identity lifecycle management, including employee onboarding and off boarding (access provisioning, key rotation, deprovisioning)
Bug Bounty & Vulnerability Management
Be the primary owner of our ImmuneFi program - triaging, reproducing, and responding to incoming submissions daily
Prioritize and track vulnerabilities through to remediation in close collaboration with protocol and engineering teams
Develop internal tooling and processes to make the bounty workflow faster and more consistent
DevSecOps & Pipeline Hardening
Audit and harden CI/CD pipelines - secrets management, supply chain integrity, SAST/DAST integration, build provenance
Own dependency security: identify and remediate vulnerable packages across repositories (yes, including the npm dependency hell)
Establish and enforce security standards across the SDLC
Infrastructure Security
Partner with the infrastructure team to review and harden cloud environments (access controls, network segmentation, least privilege, logging)
Contribute to threat modeling for new systems and architectural changes
Drive implementation of security tooling across the stack
Vendor & External Partner Management
Own relationships with external security vendors and service providers - holding them accountable toSLAs, managing scope, and ensuring findings are actioned
Evaluate and onboard new security tooling as the team and threat landscape evolve
What We're Looking For:
5-8+ years of experience in software and security engineering, with meaningful time in a DevSecOps or security operations context
Strong software engineering fundamentals - you're a builder who writes code, not just policy
Hands-on experience hardening CI/CD pipelines (GitHub Actions, CircleCI, or similar) and cloud infrastructure (AWS, GCP, or equivalent)
Proficiency with endpoint security tooling (CrowdStrike or equivalent EDR)
Comfort owning identity and access management processes, including onboarding/offboarding workflows
Strong communication skills - you can write a clear triage report, give direct feedback to a developer and explain risk to a non-technical stakeholder
Nice to Have:
You were a traditional software engineer before specializing in security
Prior experience at a DeFi protocol, crypto exchange, or blockchain infrastructure company
CTF/security competition background
Contributions to open-source security tooling
What Success Looks Like:
In your first 90 days, you've mapped our attack surface, established a daily rhythm on ImmuneFi, and shipped at least a few meaningful PRs across the full stack. Within six months, you've built enough trust in the team that engineers come to you before shipping sensitive PRs, not after.
We're looking for a Security Engineer who is equally at home hardening a CI/CD pipeline, reviewing a change to the authentication system on the backend, and triaging a bug bounty submission before lunch.This is a hands-on, builder-first role - not a governance checkbox. You'll own security operations end-to-end, embedded directly into the engineering team and working closely with infrastructure, protocol and platform.
If you treat threat modeling as a design conversation and not a compliance exercise, you're our kind of person. You should only apply for this role if you are ready to come into the office every day and work in person with our team!
What You'll Do:
Security Operations
Own day-to-day security operations: monitoring, alerting, triage, and response
Manage and monitor endpoint security via an EDR system - tune detections, investigate alerts, and drive incidents to resolution
Lead identity lifecycle management, including employee onboarding and off boarding (access provisioning, key rotation, deprovisioning)
Bug Bounty & Vulnerability Management
Be the primary owner of our ImmuneFi program - triaging, reproducing, and responding to incoming submissions daily
Prioritize and track vulnerabilities through to remediation in close collaboration with protocol and engineering teams
Develop internal tooling and processes to make the bounty workflow faster and more consistent
DevSecOps & Pipeline Hardening
Audit and harden CI/CD pipelines - secrets management, supply chain integrity, SAST/DAST integration, build provenance
Own dependency security: identify and remediate vulnerable packages across repositories (yes, including the npm dependency hell)
Establish and enforce security standards across the SDLC
Infrastructure Security
Partner with the infrastructure team to review and harden cloud environments (access controls, network segmentation, least privilege, logging)
Contribute to threat modeling for new systems and architectural changes
Drive implementation of security tooling across the stack
Vendor & External Partner Management
Own relationships with external security vendors and service providers - holding them accountable toSLAs, managing scope, and ensuring findings are actioned
Evaluate and onboard new security tooling as the team and threat landscape evolve
What We're Looking For:
5-8+ years of experience in software and security engineering, with meaningful time in a DevSecOps or security operations context
Strong software engineering fundamentals - you're a builder who writes code, not just policy
Hands-on experience hardening CI/CD pipelines (GitHub Actions, CircleCI, or similar) and cloud infrastructure (AWS, GCP, or equivalent)
Proficiency with endpoint security tooling (CrowdStrike or equivalent EDR)
Comfort owning identity and access management processes, including onboarding/offboarding workflows
Strong communication skills - you can write a clear triage report, give direct feedback to a developer and explain risk to a non-technical stakeholder
Nice to Have:
You were a traditional software engineer before specializing in security
Prior experience at a DeFi protocol, crypto exchange, or blockchain infrastructure company
CTF/security competition background
Contributions to open-source security tooling
What Success Looks Like:
In your first 90 days, you've mapped our attack surface, established a daily rhythm on ImmuneFi, and shipped at least a few meaningful PRs across the full stack. Within six months, you've built enough trust in the team that engineers come to you before shipping sensitive PRs, not after.