Back to jobs

Product Security Engineer (PSIRT - Product Security Incident Response Team)

Replit
Foster City, CA · Remote OK full-time
Python Go GCP

Replit is the agentic software creation platform that enables anyone to build applications using natural language. With millions of users worldwide, Replit is democratizing software development by removing traditional barriers to application creation. ABOUT THE ROLE We are looking for a highly skilled PSIRT Engineer to lead the vulnerability response program for Replit’s cloud-native AI platform. You will own the lifecycle of security vulnerabilities affecting our products and services—from intake to validation, remediation coordination, and public disclosure. This role requires strong technical ability to reproduce vulnerabilities, deep understanding of web/app/cloud exploit classes, and experience operating bug bounty and coordinated disclosure programs. You will work closely with Engineering, Cloud Security, SecOps, SRE, and IT teams to ensure vulnerabilities are fixed quickly and communicated responsibly. WHAT YOU’LL DO VULNERABILITY INTAKE, TRIAGE & VALIDATION - Manage intake from bug bounty platforms (HackerOne preferred), customer reports, automated scanners, pentest reports, and coordinated disclosure channels. - Independently validate, reproduce, severity-score, and document findings. - Identify duplicates and maintain a clean vulnerability records pipeline. - Assess relevance and exploitability using OWASP, cloud misconfiguration patterns, and identity/authentication/authorization risks (Oauth, OIDC). REMEDIATION COORDINATION & SLA MANAGEMENT - Work with Engineering, SecOps, IT, SRE, and Cloud Security to confirm product impact and drive remediation. - Provide detailed reproduction steps, proof-of-concepts, and technical analyses. - Track SLAs, remediation progress, regression testing, and systemic improvements. - Support SOC 2, ISO 27001, and pentest evidence needs as part of vulnerability lifecycle governance. BUG BOUNTY & VULNERABILITY DISCLOSURE PROGRAM MANAGEMENT - Design and evolve the bug bounty program, including scope, rules, and reward structures

Your application goes directly to Replit. DataU Upskillers does not share your data with third parties.