This includes hands-on ownership of Vercel's open source bug bounty program for these projects: triaging incoming reports, validating and reproducing findings, and driving fixes with the right ...
This includes hands-on ownership of Vercel's open source bug bounty program for these projects: triaging incoming reports, validating and reproducing findings, and driving fixes with the right ...
Staff+ Application Security Engineer
San Francisco, CA · On-site +1
$320K - $485K/yr
Evolve a public bug bounty program where automation handles routine triage and root-cause work, and engineers handle escalations and corner cases * Partner with Product, Infrastructure, and Research ...
Staff+ Application Security Engineer
San Francisco, CA · On-site +1
$320K - $485K/yr
Evolve a public bug bounty program where automation handles routine triage and root-cause work, and engineers handle escalations and corner cases * Partner with Product, Infrastructure, and Research ...
Product Security Engineer
San Francisco, CA · On-site +1
If you're located beyond that distance, the role is fully remote. For location-specific details ... Own and evolve the bug bounty program: Manage the researcher-facing side (scope, policy, engagement ...
Product Security Engineer
San Francisco, CA · On-site +1
If you're located beyond that distance, the role is fully remote. For location-specific details ... Own and evolve the bug bounty program: Manage the researcher-facing side (scope, policy, engagement ...
Security Engineer
San Francisco, CA · Remote
Help run penetration testing, offensive security exercises, and support our bug bounty program ... Remote
Security Engineer
San Francisco, CA · Remote
Help run penetration testing, offensive security exercises, and support our bug bounty program ... Remote
Archon Labs - Blockchain Developer
San Francisco, CA · On-site +1
Experience with formal verification, bug bounty programs, or audit coordination. * Familiarity with time-series and relational data models. * Exposure to infrastructure basics such as containers and ...
Archon Labs - Blockchain Developer
San Francisco, CA · On-site +1
Experience with formal verification, bug bounty programs, or audit coordination. * Familiarity with time-series and relational data models. * Exposure to infrastructure basics such as containers and ...
Founding Account Executive
San Francisco, CA · On-site +1
$150K - $300K/yr
Location: San Francisco, CA (remote considered for candidates with a strong existing book) Work ... bug bounty hunters. They are a Y Combinator alum, recently closed a $12.5M seed round, and have ...
Founding Account Executive
San Francisco, CA · On-site +1
$150K - $300K/yr
Location: San Francisco, CA (remote considered for candidates with a strong existing book) Work ... bug bounty hunters. They are a Y Combinator alum, recently closed a $12.5M seed round, and have ...
Sr. Kinaxis Consultant
Fremont, CA · Remote
Role : Sr. Kinaxis Consultant Remote + Monthly twice travel to CA (on client expenses) Duration ... program. * The ideal candidate will engage directly with the customer to demonstrate Kinaxis ...
Quick apply
Sr. Kinaxis Consultant
Fremont, CA · Remote
Role : Sr. Kinaxis Consultant Remote + Monthly twice travel to CA (on client expenses) Duration ... program. * The ideal candidate will engage directly with the customer to demonstrate Kinaxis ...
Senior Software Engineer - Video
Berkeley, CA · On-site +1
$150K - $197K/yr
Help maintain the audio/video pipeline software including routine bug fixes and development of ... program - Medical, Dental, Vision, 401K - Passionate team members, ambitious vision and a culture ...
Senior Software Engineer - Video
Berkeley, CA · On-site +1
$150K - $197K/yr
Help maintain the audio/video pipeline software including routine bug fixes and development of ... program - Medical, Dental, Vision, 401K - Passionate team members, ambitious vision and a culture ...
... programs. SFBU's mission is to offer inclusive, innovative, and inspirational education for ... The role is eligible for a hybrid or remote work arrangement, subject to University policies and ...
... programs. SFBU's mission is to offer inclusive, innovative, and inspirational education for ... The role is eligible for a hybrid or remote work arrangement, subject to University policies and ...
Staff Controls Engineer - OT SCADA Projects
Berkeley, CA · On-site +1
$150K - $190K/yr
... • Program and commission SEL controllers using AcSELerator; develop control logic in Codesys ... development and bug fixes in collaboration with the Product Engineering team • Review ...
Staff Controls Engineer - OT SCADA Projects
Berkeley, CA · On-site +1
$150K - $190K/yr
... • Program and commission SEL controllers using AcSELerator; develop control logic in Codesys ... development and bug fixes in collaboration with the Product Engineering team • Review ...
Staff Controls Engineer - OT SCADA Projects
Berkeley, CA · Remote
$150K - $190K/yr
... • Program and commission SEL controllers using AcSELerator; develop control logic in Codesys ... development and bug fixes in collaboration with the Product Engineering team • Review ...
Quick apply
Staff Controls Engineer - OT SCADA Projects
Berkeley, CA · Remote
$150K - $190K/yr
... • Program and commission SEL controllers using AcSELerator; develop control logic in Codesys ... development and bug fixes in collaboration with the Product Engineering team • Review ...
Remote Bug Bounty Program information
See Berkeley, CA salary details
$20.01 - $26.95
6% of jobs
$26.95 - $33.88
14% of jobs
$38.33 is the 25th percentile. Wages below this are outliers.
$33.88 - $40.81
7% of jobs
$40.81 - $47.74
1% of jobs
$47.74 - $54.67
13% of jobs
The median wage is $58.63 / hr.
$54.67 - $61.60
15% of jobs
$61.60 - $68.53
3% of jobs
$68.53 - $75.46
9% of jobs
$79.96 is the 75th percentile. Wages above this are outliers.
$75.46 - $82.39
11% of jobs
$82.39 - $89.32
15% of jobs
$89.32 - $96.25
6% of jobs
$20
$60
$96
How much do remote bug bounty program jobs pay per hour?
What are Remote Bug Bounty Programs?
What are the biggest challenges faced by participants in a remote bug bounty program, and how can they be addressed?
What is the difference between Remote Bug Bounty Program vs Remote Penetration Tester?
| Aspect | Remote Bug Bounty Program | Remote Penetration Tester |
|---|---|---|
| Credentials | Typically no formal certifications required, but cybersecurity knowledge helps | Often holds certifications like OSCP, CEH, or CISSP |
| Work Environment | Participates remotely, often independently, on various platforms | Works remotely or on-site for clients, conducting security assessments |
| Employer & Industry Usage | Used by companies to crowdsource security testing; industry-wide | Employed by organizations or consulting firms to perform security audits |
While both roles focus on cybersecurity, a Remote Bug Bounty Program involves independent testing on platforms to find vulnerabilities, whereas a Remote Penetration Tester conducts comprehensive security assessments for organizations, often with formal credentials and direct client engagement.
What are the key skills and qualifications needed to thrive in a Remote Bug Bounty Program role, and why are they important?
Full-time
Posted 3 days ago
Job description
Vercel is the agentic infrastructure company. We free people and agents to ship what's next.
For more than a decade, Vercel has shaped how the web is built. As the team behind Next.js, v0, and AI SDK, we create products that help builders move from idea to production with speed, security, and exceptional developer experience.
Now, software is entering a new era, and the next generation of products will not just be used by people. They will be built, extended, and operated by agents.
We are building the platform for that future, trusted by companies like OpenAI, PayPal, Ramp, Supreme, and millions of developers worldwide. Whether you're building our products, supporting our customers, growing our community, or shaping our story, you'll help define what comes next.
About the role
Vercel builds and maintains a broad portfolio of open source projects that power the modern web, running in millions of applications. Your primary focus will be Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro. A single structural fix at the framework level protects every one of those applications at once, which makes this one of the highest-leverage security roles at the company.
We're looking for a security engineer who loves finding a whole class of vulnerability and eliminating it in one move, not someone who's satisfied filing one bug at a time. You'll run deep security assessments of framework internals (routing, middleware, caching, server actions, the build pipeline), find the systemic patterns that produce entire families of bugs, and drive the framework-level fixes and design changes that remove them permanently. You'll also own how these projects handle externally reported vulnerabilities, coordinated disclosure, and CVEs, working directly with maintainers and the open source security community. This includes hands-on ownership of Vercel's open source bug bounty program for these projects: triaging incoming reports, validating and reproducing findings, and driving fixes with the right maintainers.
What you will do
- Hunt for vulnerability classes, not individual bugs: Run deep security assessments of framework internals (routing, middleware, caching, data fetching, server actions/RSC boundaries, build tooling) to find the systemic design patterns that produce whole families of issues.
- Drive root-cause framework fixes: Push design changes upstream that eliminate a category of vulnerability across every application built on the framework, rather than patching individual instances as they're reported.
- Own vulnerability disclosure and CVEs: Triage security reports from the community and researchers across Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, Nitro, and other maintained OSS projects. Coordinate embargoed fixes, write and publish advisories, and manage the CVE/CNA process end to end.
- Run the OSS bug bounty program for these projects: Own triage and validation of incoming reports to Vercel's open source bug bounty program for Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro. Reproduce findings, assess severity, and coordinate fixes with the right maintainers and researchers.
- Get security into design early: Partner with framework maintainers and core teams during RFCs and design review, so new features ship with security considered from the first draft, not bolted on after a report comes in.
- Build preventive tooling: Contribute linters, codemods, and CI checks that catch regressions of previously-fixed vulnerability classes before they land again.
- Own supply chain security for these projects: Harden how dependencies, releases, and published packages for Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro are built, signed, and distributed. As more contributions and dependency updates are generated or assisted by AI agents, build the review and provenance practices that keep that increased volume safe.
- Work with the community, not around it: Engage directly with maintainers, contributors, and external researchers as peers. Bring pragmatic security recommendations to project discussions in a way that respects how these projects actually get built, and represent Vercel in coordinated disclosure norms and working groups when an issue spans multiple ecosystems.
- You've actually used or broken these frameworks: You've built real things with Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, or Nitro (or closely comparable projects), or you've found and reported security issues in them. This is a hard requirement, not a nice-to-have: we need someone who understands what these projects actually do and how they're actually used, not a generalist parachuting in.
- You have a deep appreciation and respect for open source work: You understand that these are community projects with maintainers, contributors, and users who care deeply about them, and you treat that with the seriousness it deserves. You're not here to slow the project down with process for its own sake.
- 4+ years in security engineering, ideally with real hands-on open source contribution experience. You've actually sent PRs to projects like these, not just filed issues against them.
- You're energized by root cause, not remediation count: Finding the one design flaw that kills fifty potential bugs is more satisfying to you than closing fifty tickets one at a time.
- You can read framework internals, not just application code: Strong JavaScript/TypeScript fundamentals and genuine familiarity with how modern meta-frameworks work under the hood (routing, SSR/RSC, middleware, bundling/build systems).
- Pragmatic, not theoretical: You can weigh real-world risk against maintainer and community bandwidth, and land on security improvements that actually ship, rather than the theoretically ideal fix that never gets merged.
- Vulnerability research chops: Experience with structured security assessment methodology and coordinated/responsible disclosure processes, including handling embargoes and writing clear advisories.
- Clear communicator: You can explain a vulnerability, a tradeoff, or a design recommendation clearly to maintainers, contributors, and non-security engineers alike, in writing and in conversation.
- Comfortable operating in public: You're used to working transparently with external researchers, maintainers, and the community, not just inside a company's four walls.
- CVE credits or published security research, especially in JavaScript frameworks or the Node ecosystem.
- Maintained or heavily contributed to a widely used open source project.
- Experience with supply chain security tooling (Sigstore, SLSA/provenance, dependency and package scanning).
- Thought about how increasing AI-agent-authored contributions change the risk model for open source maintenance.
- Run or triaged for a bug bounty / vulnerability disclosure program before, ideally for open source projects.
Benefits:
- Competitive compensation package, including equity.
- Inclusive Healthcare Package.
- Learn and Grow - we provide mentorship and send you to events that help you build your network and skills.
- Flexible Time Off.
- We will provide you the gear you need to do your role, and a WFH budget for you to outfit your space as needed.
The San Francisco, CA base pay range for this role is $208,000.00 - $312,000.00. Actual salary will be based on job-related skills, experience, and location. Compensation outside of San Francisco may be adjusted based on employee location. The total compensation package may include benefits, equity-based compensation, and eligibility for a company bonus or variable pay program depending on the role. Your recruiter can share more details during the hiring process.
Vercel is committed to fostering and empowering an inclusive community within our organization. We do not discriminate on the basis of race, religion, color, gender expression or identity, sexual orientation, national origin, citizenship, age, marital status, veteran status, disability status, or any other characteristic protected by law. Vercel encourages everyone to apply for our available positions, even if they don't necessarily check every box on the job description.
About Vercel
Sourced by ZipRecruiter
Industry
Software development
Company size
51 - 200 Employees
Headquarters location
Walnut, CA, US
Year founded
2015