Product Security Engineer - Bug Bounty

Ursus, Inc.

Lehi, UT

JOB DETAILS
SALARY
$74–$84.51 Per Hour
SKILLS
(XSS) Cross Site Scripting, Amazon Web Services (AWS), Application Programming Interface (API), Applications Security, Artificial Intelligence (AI), Authentication, Calibration, Cloud Computing, Communication Skills, Computer Security, Digital Media, Documentation, Enterprise Protection, GCP (Good Clinical Practices), Industry Standards, Injections, Internet Security, Marketing, Microsoft Windows Azure, Online Courses, Penetration Testing, Product Engineering, Proof of Concept, Research Skills, SQL (Structured Query Language), Scripting (Scripting Languages), Security Attacks, Software as a Service (SaaS), Taxonomies, Time Management, Web Browsers, Writing Skills
LOCATION
Lehi, UT
POSTED
4 days ago
JOB TITLE: Product Security Engineer - Bug Bounty
LOCATION: Lehi, UT
PAY RANGE: $74 - $84/hr.
DURATION: 4 to 6 Months

TOP 3 SKILLS:
  • 3+ years of experience in application security, penetration testing, or a bug bounty/vulnerability disclosure role.
  • Strong understanding of CVSS v3.1 scoring and hands-on experience applying it to real-world vulnerabilities.
  • Proficiency in common web vulnerability classes: XSS, SQL injection, SSRF, IDOR, authentication flaws, and business logic issues.

Company:
Our client is a global leader in creative software, offering innovative tools for digital media creation, design, and marketing.

About the Role:
Client is seeking a Product Security Engineer to support our Bug Bounty program on a 6-month contract engagement, backfilling a team member on leave. You will be the frontline responder for external vulnerability reports submitted through the program, working closely with internal engineering and security teams to ensure timely, accurate triage and resolution.

Responsibilities:
  • Triage incoming vulnerability reports submitted via the bug bounty platform, assessing validity, impact, and scope.
  • Assign CVSS scores and severity ratings accurately, following internal severity guidelines and industry standards.
  • Reproduce proof-of-concept (PoC) exploits to validate reported vulnerabilities across web, API, and mobile surfaces.
  • Communicate clearly and professionally with external researchers: request clarifications, provide status updates, and manage expectations.
  • Coordinate with product engineering teams to route confirmed vulnerabilities for remediation.
  • Identify duplicate, out-of-scope, or informational reports and close them with clear, respectful explanations.
  • Contribute to internal documentation, triage runbooks, and severity calibration guidelines.
  • Flag systemic or critical findings to Bug Bounty team for escalation as needed.

Required Qualifications:
  • 3+ years of experience in application security, penetration testing, or a bug bounty/vulnerability disclosure role.
  • Strong understanding of CVSS v3.1 scoring and hands-on experience applying it to real-world vulnerabilities.
  • Proficiency in common web vulnerability classes: XSS, SQL injection, SSRF, IDOR, authentication flaws, and business logic issues.
  • Ability to reproduce and validate PoC exploits using tools such as Burp Suite, browser DevTools, curl, and custom scripts.
  • Familiarity with bug bounty platforms (e.g., HackerOne, Bugcrowd) and responsible disclosure processes.
  • Solid written communication skills able to write clear, constructive responses to researchers of all skill levels.
  • Familiarity with attacker techniques used by external researchers against LLM systems and generative AI products.
  • Knowledge of application security vulnerabilities (OWASP Top 10) and mitigation techniques.

Nice to Have:
  • Experience with cloud environments (AWS, Azure, GCP) and API security testing.
  • Hands-on experience in penetration testing of AI/ML and LLM-powered products, including chat interfaces, agentic workflows, and inference APIs.
  • Prior participation in bug bounty programs as a researcher.
  • Familiarity with OWASP Top 10, CWE taxonomy, and CVE assignment processes.
  • Background working within a large enterprise or SaaS security organization.


BENEFITS SUMMARY: Individual compensation is determined by skills, qualifications, experience, and location. Compensation details listed in this posting reflect the base hourly rate or annual salary only, unless otherwise stated. In addition to base compensation, full-time roles are eligible for Medical, Dental, Vision, Commuter, and 401K benefits with company matching.

IND123

About the Company

U

Ursus, Inc.