Senior Security Research Engineer

• Jobs
• Senior Security Research Engineer

Senior Security Research Engineer

WP Cloud powers WordPress at scale, and security is a critical part of that foundation. We're expanding our security team to support WP Cloud, while also contributing to the protection and intelligence provided by WPScan and Jetpack Protect. As a Security Researcher, you will analyze vulnerable and malicious code, track emerging threats, and help build the tools and processes that detect, prevent, and remediate malware and other security issues across the WordPress ecosystem. If you have a knack for solving puzzles and a passion for documenting and operationalizing solutions, this is a great opportunity to make a broad impact.

The Senior Security Engineer position might be a good fit if you:

• Enjoy securing and protecting websites and applications.
• Have at least 3 years of experience as a security researcher, or equivalent experience investigating vulnerabilities, malware, or other threats.
• Understand threat models, security threats, vulnerabilities, and common attack vectors such as XSS, injection, hijacking, social engineering, and so on, along with how to mitigate them.
• Have experience with PHP and some exposure to software engineering.
• Are highly collaborative, and love participating in code reviews and discussions about architecture or design.
• Have a strong ability to use AI tools effectively to accelerate your work, improve analysis, and enhance the quality of your solutions.
• Are open, and able, to travel 2-3 weeks per year to meet up with your teammates in person.

Extra Credit:

• Experience with penetration testing and associated tools.
• Previous experience with malware detection systems.
• Reported vulnerabilities in the past.
• Know your way around WordPress and its file and database structures.
• Have experience writing and debugging WordPress plugins and themes.

Speaking of interests and skills, here are some areas in which you can grow and have further impact in the future at the company:

• Leadership - we offer a variety of leadership options to those who have an interest, including becoming a team lead and managing releases.
• Learning and development - we have a generous personal development budget and encourage you to grow your skills through courses, books, and conferences.
• Architecture - we encourage developers to build expertise in the systems they work with, guide their evolution, and mentor other developers working on them.
• Engineering effectiveness - we believe in helping other developers become more effective through tools, practices, cross-team collaborations, and process

Compensation and Benefits

Salary range: $70,000-$170,000 USD. Please note that salary ranges are global, regardless of location, and we pay in local currency.

We are searching for high-caliber candidates with the skills and qualities to have a net positive for Automattic. Pay will reflect the potential contribution and the impact you can bring, which may, in some cases, go beyond the range stated.

This isn't your typical work-from-home job-we are a fully-remote company with an open vacation policy. Read more about our compensation philosophy. To see a full list of benefits by country, consult our Benefits Page. And check out these links to learn more about How We Hire and What We Expect from Ourselves. #LI-Remote

About Automattic

Now in our 20th year, we're the people behind WordPress.com, WooCommerce, Beeper, Tumblr, Simplenote, Jetpack, Longreads, Day One, PocketCasts, and more. We believe in making the web a better place.

We're a distributed company with more than 1500 Automatticians in nearly every corner of the globe, speaking over a hundred different languages. Enriched by this diversity, we're united by a singular mission: to democratize publishing, commerce, and messaging so anyone with a story can tell it, anyone with a product can sell it, and everyone can manage their communications from a single source. In short, we help maintain a balance in society, creating and continually refining powerful tools people can use to compete fairly-regardless of income, gender, politics, language, or where they live in the world.

We believe in Open Source, and the vast majority of our work is available under the GPL. Automattic is a Most Loved Company, an Equal Opportunity employer, and Disability Confident Committed. (Here's what that might mean for you.) If you need disability-related accommodations during the application or interview process, please fill out this form. We are committed to ensuring an accessible hiring process for all candidates. Learn more about our Employee Resource Groups.

You can track your application status and more at MyGreenhouse.

To learn about how we handle your data, please review our Privacy Policy.

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran. View the "Know Your Rights: Workplace Discrimination is Illegal" poster here. Automattic participates in the E-Verify program in certain locations, as required by law.

Job Details

1 Open position

Category

Engineering

Team/Product

Automattic

Apply Now

First Name *

Last Name *

Preferred First Name

Email *

Phone *

Location *

Resume/CV (File types: pdf, doc, docx, txt, rtf)

Cover Letter (File types: pdf, doc, docx, txt, rtf)

Do you have hands-on experience researching, triaging, or disclosing security vulnerabilities specifically within the WordPress ecosystem (plugins, themes, or core)? *Please selectYesNo

Describe a security vulnerability or piece of malware you analysed in PHP code. What was it, how did you identify it, and what made it interesting or difficult to assess? *

How are you currently using AI in your security research work? Give us a specific example of something you built, automated, or improved using AI tooling. *

Automattic is fully distributed and async-first. Walk us through how you manage your work when you're operating without a manager or peer available - how do you prioritise, communicate, and stay unblocked? *

Tell us about a time you had to make a judgment call on whether something was a real security vulnerability when the answer wasn't obvious. What was the context, what did you weigh up, and were you right? *

How did you hear about this role? *Please selectAutomattic Employee (please specify below)RecruiterWordPress UserI saw this job on LinkedInWordCampTumblrHTTP Header/X-hackerPowerToFlyStackOverflowGlassdoorGoogleTikTok/YouTube videoOther

If you selected "Automattic Employee" or "Other" above, can you tell us more?

Do you have a LinkedIn profile? If so, please provide a link.

Have you reviewed the compensation details (salary range) provided in the job description above? *

Read more about our compensation philosophy here.

Please selectYesNo

Please indicate your salary expectation for this role. *

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in Automattic's Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Race Please selectDecline To Self IdentifyTwo or More RacesNative Hawaiian or Other Pacific IslanderWhiteHispanic or LatinoBlack or African AmericanAsianAmerican Indian or Alaskan Native

Gender Please selectDecline To Self IdentifyFemaleMale

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran s discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Veteran Status Please selectI don t wish to answerI identify as one or more of the classifications of a protected veteranI am not a protected veteran

Voluntary Self-Identification of Disability

Form CC-305

Page 1 of 1

OMB Control Number 1250-0005

Expires 04/30/2026

Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your "major life activities." If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

• Alcohol or other substance use disorder (not currently using drugs illegally)
• Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
• Blind or low vision
• Cancer (past or present)
• Cardiovascular or heart disease
• Celiac disease
• Cerebral palsy
• Deaf or serious difficulty hearing
• Diabetes
• Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
• Epilepsy or other seizure disorder
• Gastrointestinal disorders, for example, Crohn s Disease, irritable bowel syndrome
• Intellectual or developmental disability
• Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
• Missing limbs or partially missing limbs
• Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
• Nervous system condition, for example, migraine headaches, Parkinson's disease, multiple sclerosis (MS)
• Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
• Partial or complete paralysis (any cause)
• Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
• Short stature (dwarfism)
• Traumatic brain injury

Disability Status Please selectI do not want to answerNo, I do not have a disability and have not had one in the pastYes, I have a disability, or have had one in the past

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.

Not finding the right opportunity?

Check out our interest forms and register your details. We are always open to talented people who would like to join Automattic.

Get in touch