engineering
Posted 3 hours agoSecurity Software Engineer, Open Source Frameworks
at Vercel
New York City, United StatesHybrid
Responsibilities
- Hunt for vulnerability classes, not individual bugs: Run deep security assessments of framework internals (routing, middleware, caching, data fetching, server actions/RSC boundaries, build tooling) to find the systemic design patterns that produce whole families of issues.
- Drive root-cause framework fixes: Push design changes upstream that eliminate a category of vulnerability across every application built on the framework, rather than patching individual instances as they're reported.
- Own vulnerability disclosure and CVEs: Triage security reports from the community and researchers across Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, Nitro, and other maintained OSS projects.
- Coordinate embargoed fixes, write and publish advisories, and manage the CVE/CNA process end to end.
- Run the OSS bug bounty program for these projects: Own triage and validation of incoming reports to Vercel's open source bug bounty program for Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro.
- Build preventive tooling: Contribute linters, codemods, and CI checks that catch regressions of previously-fixed vulnerability classes before they land again.
- Own supply chain security for these projects: Harden how dependencies, releases, and published packages for Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro are built, signed, and distributed.
Requirements
- As the team behind Next.js, v0, and AI SDK, we create products that help builders move from idea to production with speed, security, and exceptional developer experience.
- Your primary focus will be Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro .
- You'll also own how these projects handle externally reported vulnerabilities, coordinated disclosure, and CVEs, working directly with maintainers and the open source security community.
- As more contributions and dependency updates are generated or assisted by AI agents, build the review and provenance practices that keep that increased volume safe.
- You've actually used or broken these frameworks: You've built real things with Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, or Nitro (or closely comparable projects), or you've found and reported security issues in them.
- You can read framework internals, not just application code: Strong JavaScript/TypeScript fundamentals and genuine familiarity with how modern meta-frameworks work under the hood (routing, SSR/RSC, middleware, bundling/build systems).
- Experience with structured security assessment methodology and coordinated/responsible disclosure processes, including handling embargoes and writing clear advisories.
- CVE credits or published security research, especially in JavaScript frameworks or the Node ecosystem.
- Experience with supply chain security tooling (Sigstore, SLSA/provenance, dependency and package scanning).
- Thought about how increasing AI-agent-authored contributions change the risk model for open source maintenance.
Experience
- 4+ years in security engineering, ideally with real hands-on open source contribution experience. You've actually sent PRs to projects like these, not just filed issues against them.
Benefits
- We are building the platform for that future, trusted by companies like OpenAI, PayPal, Ramp, Supreme, and millions of developers worldwide .
- This includes hands-on ownership of Vercel's open source bug bounty program for these projects: triaging incoming reports, validating and reproducing findings, and driving fixes with the right maintainers. What you will do
- Comfortable operating in public: You're used to working transparently with external researchers, maintainers, and the community, not just inside a company's four walls. Bonus if you have
- Run or triaged for a bug bounty / vulnerability disclosure program before, ideally for open source projects. Benefits:
- Competitive compensation package, including equity.
- Inclusive Healthcare Package.
- Learn and Grow - we provide mentorship and send you to events that help you build your network and skills. Flexible Time Off.
- The San Francisco, CA base pay range for this role is $208,000.00 - $312,000.00.
- Actual salary will be based on job-related skills, experience, and location.
- Compensation outside of San Francisco may be adjusted based on employee location.
- The total compensation package may include benefits, equity-based compensation, and eligibility for a company bonus or variable pay program depending on the role.
Additional details
- Vercel is the agentic infrastructure company. We free people and agents to ship what’s next.
- For more than a decade, Vercel has shaped how the web is built.
- Now, software is entering a new era, and the next generation of products will not just be used by people. They will be built, extended, and operated by agents.
- Whether you’re building our products, supporting our customers, growing our community, or shaping our story, you’ll help define what comes next. About the role
- Vercel builds and maintains a broad portfolio of open source projects that power the modern web, running in millions of applications.
- A single structural fix at the framework level protects every one of those applications at once, which makes this one of the highest-leverage security roles at the company.
- We're looking for a security engineer who loves finding a whole class of vulnerability and eliminating it in one move, not someone who's satisfied filing one bug at a time.
- You'll run deep security assessments of framework internals (routing, middleware, caching, server actions, the build pipeline), find the systemic patterns that produce entire families of bugs, and drive the framework-level fixes and design changes that remove them permanently.
- Reproduce findings, assess severity, and coordinate fixes with the right maintainers and researchers.
- Get security into design early: Partner with framework maintainers and core teams during RFCs and design review, so new features ship with security considered from the first draft, not bolted on after a report comes in.