jobloom

JobLoom finds jobs directly from company career sites before many job boards, then routes you into detailed role pages like this one.

engineering

Posted 3 hours ago

Security Software Engineer, Open Source Frameworks

at Vercel

New York City, United StatesHybrid

Responsibilities

  • Hunt for vulnerability classes, not individual bugs: Run deep security assessments of framework internals (routing, middleware, caching, data fetching, server actions/RSC boundaries, build tooling) to find the systemic design patterns that produce whole families of issues.
  • Drive root-cause framework fixes: Push design changes upstream that eliminate a category of vulnerability across every application built on the framework, rather than patching individual instances as they're reported.
  • Own vulnerability disclosure and CVEs: Triage security reports from the community and researchers across Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, Nitro, and other maintained OSS projects.
  • Coordinate embargoed fixes, write and publish advisories, and manage the CVE/CNA process end to end.
  • Run the OSS bug bounty program for these projects: Own triage and validation of incoming reports to Vercel's open source bug bounty program for Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro.
  • Build preventive tooling: Contribute linters, codemods, and CI checks that catch regressions of previously-fixed vulnerability classes before they land again.
  • Own supply chain security for these projects: Harden how dependencies, releases, and published packages for Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro are built, signed, and distributed.

Requirements

  • As the team behind Next.js, v0, and AI SDK, we create products that help builders move from idea to production with speed, security, and exceptional developer experience.
  • Your primary focus will be Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro .
  • You'll also own how these projects handle externally reported vulnerabilities, coordinated disclosure, and CVEs, working directly with maintainers and the open source security community.
  • As more contributions and dependency updates are generated or assisted by AI agents, build the review and provenance practices that keep that increased volume safe.
  • You've actually used or broken these frameworks: You've built real things with Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, or Nitro (or closely comparable projects), or you've found and reported security issues in them.
  • You can read framework internals, not just application code: Strong JavaScript/TypeScript fundamentals and genuine familiarity with how modern meta-frameworks work under the hood (routing, SSR/RSC, middleware, bundling/build systems).
  • Experience with structured security assessment methodology and coordinated/responsible disclosure processes, including handling embargoes and writing clear advisories.
  • CVE credits or published security research, especially in JavaScript frameworks or the Node ecosystem.
  • Experience with supply chain security tooling (Sigstore, SLSA/provenance, dependency and package scanning).
  • Thought about how increasing AI-agent-authored contributions change the risk model for open source maintenance.

Experience

  • 4+ years in security engineering, ideally with real hands-on open source contribution experience. You've actually sent PRs to projects like these, not just filed issues against them.

Benefits

  • We are building the platform for that future, trusted by companies like OpenAI, PayPal, Ramp, Supreme, and millions of developers worldwide .
  • This includes hands-on ownership of Vercel's open source bug bounty program for these projects: triaging incoming reports, validating and reproducing findings, and driving fixes with the right maintainers. What you will do
  • Comfortable operating in public: You're used to working transparently with external researchers, maintainers, and the community, not just inside a company's four walls. Bonus if you have
  • Run or triaged for a bug bounty / vulnerability disclosure program before, ideally for open source projects. Benefits:
  • Competitive compensation package, including equity.
  • Inclusive Healthcare Package.
  • Learn and Grow - we provide mentorship and send you to events that help you build your network and skills. Flexible Time Off.
  • The San Francisco, CA base pay range for this role is $208,000.00 - $312,000.00.
  • Actual salary will be based on job-related skills, experience, and location.
  • Compensation outside of San Francisco may be adjusted based on employee location.
  • The total compensation package may include benefits, equity-based compensation, and eligibility for a company bonus or variable pay program depending on the role.

Additional details

  • Vercel is the agentic infrastructure company. We free people and agents to ship what’s next.
  • For more than a decade, Vercel has shaped how the web is built.
  • Now, software is entering a new era, and the next generation of products will not just be used by people. They will be built, extended, and operated by agents.
  • Whether you’re building our products, supporting our customers, growing our community, or shaping our story, you’ll help define what comes next. About the role
  • Vercel builds and maintains a broad portfolio of open source projects that power the modern web, running in millions of applications.
  • A single structural fix at the framework level protects every one of those applications at once, which makes this one of the highest-leverage security roles at the company.
  • We're looking for a security engineer who loves finding a whole class of vulnerability and eliminating it in one move, not someone who's satisfied filing one bug at a time.
  • You'll run deep security assessments of framework internals (routing, middleware, caching, server actions, the build pipeline), find the systemic patterns that produce entire families of bugs, and drive the framework-level fixes and design changes that remove them permanently.
  • Reproduce findings, assess severity, and coordinate fixes with the right maintainers and researchers.
  • Get security into design early: Partner with framework maintainers and core teams during RFCs and design review, so new features ship with security considered from the first draft, not bolted on after a report comes in.

Find more real-time jobs on JobLoom.