About Vercel:
Vercel is the agentic infrastructure company. We free people and agents to ship what’s next.
For more than a decade, Vercel has shaped how the web is built. As the team behind Next.js, v0, and AI SDK, we create products that help builders move from idea to production with speed, security, and exceptional developer experience.
Now, software is entering a new era, and the next generation of products will not just be used by people. They will be built, extended, and operated by agents.
We are building the platform for that future, trusted by companies like OpenAI, PayPal, Ramp, Supreme, and millions of developers worldwide. Whether you’re building our products, supporting our customers, growing our community, or shaping our story, you’ll help define what comes next.
About the Role:
Traditional product security teams work one report at a time: a person triages a bug bounty submission, validates it, reproduces it, and hands it off for a fix. That doesn't scale past a certain volume, and Vercel is well past it. Adding more triagers doesn't close that gap. Building the systems that triage at that scale does.
This role is about building that system. Your core focus is tooling that triages and validates bug bounty and other externally reported security findings at scale, reasoning about validity, severity, and reproducibility the way a human triager would, but continuously and at volume. And we want to go beyond triage. The real leverage is in connecting a validated finding to its root cause and driving the fix, ideally with the remediation itself proposed or opened automatically for well-understood vulnerability classes.
More broadly, this is a mandate to rethink traditional security tooling for how Vercel actually operates: agent-scale testing and automation in place of processes built for a much smaller company. This role also has real scope to build tooling that gives our customers their own security testing capabilities for what they build on Vercel, not just harden Vercel's own surface.
Because of this, we're optimizing for someone who wants to build systems, not someone whose background is manual penetration testing. A software engineer with a strong desire to move into security, or a security engineer with a strong engineering background, is exactly who we're looking for.
If you're based within a pre-determined commuting distance of one of our offices (SF, NY, London, or Berlin), the role includes in-office anchor days on Monday, Tuesday, and Friday. If you're located beyond that distance, the role is fully remote. For location-specific details, please connect with our recruiting team.
What You Will Do:
- Build tooling to triage and validate bug bounty and external findings at scale: Design and operate the systems that take in externally reported vulnerabilities and automatically assess validity, severity, and reproducibility, at a volume no manual triage process could match.
- Push triage beyond pattern matching, into agentic analysis: Build and operate LLM/agent-based reasoning that can validate business logic, auth, and design-level findings, not just match against known signatures.
- Go from validated finding to root cause: Trace validated findings back to the underlying pattern or class, so the team fixes the reason it happened, not just the one report that came in.
- Build toward automated remediation, not just automated triage: Design systems that can propose, and increasingly open, the fix itself for well-understood vulnerability classes, with the right human review gates in place.
- Rethink traditional security tooling for scale: Question which parts of the traditional product security toolkit (manual threat modeling, ad hoc code review, point-in-time pentests) still make sense at Vercel's scale, and build the agent-driven tooling that replaces or augments them.
- Own and evolve the bug bounty program: Manage the researcher-facing side (scope, policy, engagement) as well as the internal tooling, so every report gets resolved and makes the automated triage smarter for the next one.
- Build toward customer-facing security testing capabilities: Extend the tooling and automation you build for Vercel's own products into a capability customers can use to test the security of what they build and deploy on the platform.
About You:
- You're a builder first: Strong software engineering background is more important here than classic penetration testing experience. You'd rather build the system that triages a thousand reports than work through them one at a time. We're equally excited by a software engineer who wants to move into security and a security engineer with a strong engineering background; a manual pentesting background alone is not what this role is optimized for.
- Understand vulnerability triage and validation, even if that's not your primary background: You know (or can quickly learn) how to assess an externally reported finding, reproduce it, and judge severity, and you understand what makes that process hard to scale.
- Curious about, or already building with, agentic and LLM-based security tooling: You have a point of view on where AI agents can reliably validate, root-cause, and fix vulnerabilities today, and where they can't yet.
- Root cause and systems thinking: You default to "how do I make this scale to the next ten thousand reports" and "why did this class of bug happen," rather than closing the one ticket in front of you.
- Comfortable defining a new practice: Agent-scale product security isn't a mature discipline yet. You're excited to help define what it looks like at Vercel rather than inherit a playbook.
- Web tech stack proficiency: Strong familiarity with JavaScript/TypeScript and Node.js runtime security, and modern web frameworks (ideally Next.js or React and Node-based frameworks), so you can read and validate the code your tooling is analyzing.
Bonus If You:
- Have built or contributed to security automation used broadly across an engineering org, not just for your own team.
- Have experience running or triaging a bug bounty / vulnerability disclosure program.
- Have experience testing or securing multi-tenant platforms where customer-built applications run on shared infrastructure.
- Have built systems that auto-generate or auto-propose code fixes, not just findings.
- Have thought about what security testing as a product capability could look like for a platform's customers.
- Hold relevant security certifications or recognitions (for example, OSCP, OSWE, CISSP, or notable bug bounty hall of fame entries). These demonstrate your depth of knowledge, though they are not required.
Benefits:
- Competitive compensation package, including equity.
- Inclusive Healthcare Package.
- Learn and Grow - we provide mentorship and send you to events that help you build your network and skills.
- Flexible Time Off.
- We will provide you the gear you need to do your role, and a WFH budget for you to outfit your space as needed.
Vercel is committed to fostering and empowering an inclusive community within our organization. We do not discriminate on the basis of race, religion, color, gender expression or identity, sexual orientation, national origin, citizenship, age, marital status, veteran status, disability status, or any other characteristic protected by law. Vercel encourages everyone to apply for our available positions, even if they don't necessarily check every box on the job description.
The San Francisco, CA base pay range for this role is $208,000.00 - $312,000.00. Actual salary will be based on job-related skills, experience, and location. Compensation outside of San Francisco may be adjusted based on employee location. The total compensation package may include benefits, equity-based compensation, and eligibility for a company bonus or variable pay program depending on the role. Your recruiter can share more details during the hiring process.