Vercel: Senior Product Security Engineer
Unknown
Description
Headquarters: Remote - United States
About Vercel:
Vercel gives developers the tools and cloud infrastructure to build, scale, and secure a faster, more personalized web. As the team behind v0, Next.js, and AI SDK, Vercel helps customers like Ramp, Supreme, PayPal, and Under Armour build for the AI-native web.
Our mission is to enable the world to ship the best products. That starts with creating a place where everyone can do their best work. Whether you're building on our platform, supporting our customers, or shaping our story: You can just ship things.
About the Role:
We are looking for a Senior Product Security Engineer to join our security team to drive critical product security initiatives across Vercel’s products and platform. Your core focus will be on threat modeling, open-source software security, secure code review, SDLC tooling, and bug bounty program management. You will support both our internal product engineering teams and customer-facing security programs, ensuring that security is embedded throughout our development lifecycle and that our platform earns the trust of developers and end-users alike.
As a senior member of the team, you will lead cross-organizational security projects and champion a security-first culture within Vercel’s engineering organization. This is a high-impact role with broad scope – your work will not only secure Vercel’s core infrastructure and products (built with Next.js, Node.js, and serverless architecture), but also influence the security of the open-source ecosystems we contribute to.
If you’re based within a pre-determined commuting distance of one of our offices (SF, NY, London, or Berlin), the role includes in-office anchor days on Monday, Tuesday, and Friday. If you're located beyond that distance, the role is fully remote. For location-specific details, please connect with our recruiting team.
What You Will Do:
- Threat Modeling & Design Review: Partner with engineering and product teams to perform threat modeling for new and existing features. Identify potential risks early in the design phase and recommend security controls or design changes to mitigate threats. You will ensure security concerns are addressed from the inception of features through deployment.
- Secure Code Review: Conduct secure code reviews and security assessments on products and services built with Next.js, Node.js, and our serverless backend. You’ll uncover code-level vulnerabilities, provide actionable remediation guidance to developers, and establish best practices for secure coding across the engineering team.
- Open Source Security Management: Oversee Vercel’s open-source security efforts. This includes monitoring and coordinating fixes for vulnerabilities in third-party open-source packages we use (as a consumer) and ensuring the security of the open-source projects we maintain and publish (as a contributor/publisher, e.g. Next.js). You will work with maintainers and the community on responsible disclosure and patching of security issues in open-source code.
- SDLC Tooling & Automation: Evaluate, select, and integrate security tools into our Software Development Life Cycle. You will drive the implementation of automated security checks – for example, using GitHub Advanced Security (GHAS) and other static analysis, dependency scanning, and secret detection tools – directly in our CI/CD pipelines and GitHub workflows. By embedding security tooling into developer workflows, you will help catch issues early and reduce manual effort.
- Bug Bounty Program Management: Own and expand Vercel’s bug bounty program. You will triage and validate incoming vulnerability reports from the security researcher community, ensure critical issues are promptly addressed, and coordinate cross-team efforts to remediate and learn from reported vulnerabilities. You’ll also work on making our bug bounty a world-class, researcher-friendly program, including refining policies, scope, and engagement to encourage high-quality submissions.
- Cross-Organizational Security Initiatives: Lead and contribute to security projects that span multiple teams and disciplines. For example, you might drive a company-wide upgrade to a more secure framework, implement a new authentication/authorization mechanism in collaboration with product teams, or roll out a security awareness program for engineers. You will act as a security champion across the org, aligning stakeholders from Engineering, DevOps, Product, and other groups to implement lasting security improvements.
- Customer-Facing Security Support:
Tags
Apply for this Position
About Unknown
Company hiring for SK Stones USA: Customer Success Manager
Job Stats
Hiring Across Borders?
Interview Prep Guide
Preparation Strategy
To prepare for this role, focus on reviewing your knowledge of security engineering, threat modeling, and secure code review. Practice explaining technical security concepts and your approach to security engineering. Review your experience with collaboration and communication, and prepare examples of your accomplishments in driving security initiatives. Additionally, research Vercel's products and platform to demonstrate your understanding of the company's security needs.
Likely Interview Rounds
- 1. Screening call~30 min
What to prep: Review your experience with security engineering, threat modeling, and secure code review. Be prepared to discuss your approach to identifying and mitigating security risks.
- What experience do you have with threat modeling and secure code review?
- How do you stay up-to-date with the latest security threats and trends?
- 2. Technical~60 min
What to prep: Review your knowledge of secure coding practices, threat modeling, and security assessments. Practice explaining technical security concepts and your approach to security engineering.
- How would you conduct a secure code review for a Node.js application?
- What security considerations would you take into account when designing a serverless architecture?
- 3. System design~60 min
What to prep: Review your knowledge of system design, security architecture, and DevOps practices. Practice designing and explaining secure systems and architectures.
- Design a secure CI/CD pipeline for a cloud-based application.
- How would you integrate security tools into a software development lifecycle?
- 4. Behavioral~60 min
What to prep: Review your experience with security engineering, collaboration, and communication. Prepare examples of your accomplishments and experiences in driving security initiatives.
- Tell me about a time when you identified and mitigated a security risk in a previous role.
- How do you collaborate with cross-functional teams to drive security initiatives?
Most Likely Questions
- What do you know about Vercel's products and platform?
- How do you approach secure code review and threat modeling?
- What experience do you have with open-source security management?
- How do you stay current with the latest security threats and trends?
- Can you describe your experience with bug bounty program management?
Common Pitfalls
- Lack of experience with cloud-based security
- Inadequate knowledge of secure coding practices
- Insufficient understanding of threat modeling and risk assessment
Free Prep Resources
- • OWASP
- • SANS Institute
- • GitHub Advanced Security (GHAS)