Information Security Engineer (Bug Bounty Program /Vulnerability )

Title: Information Security Engineer (Bug Bounty/vulnerability)

Location: Remote

Duration: 6 Months Contract

Must Have

• Experience with vulnerability triage, validation, and prioritization.
• Must be able to communicate ideas both verbally and in writing to management, business and IT sponsors, and technical resources in language that is appropriate for each group.
• Strong understanding of application security principles, secure development practices, and common vulnerabilities (e.g., OWASP Top 10).

Nice To Have

• Ability to review and understand source code to validate vulnerabilities.
• Experience with vulnerability management or tracking platforms (e.g., ticketing systems, dashboards).
• Familiarity with vulnerability scanning tools and outputs (e.g., SAST, SCA, DAST).

ESSENTIAL DUTIES & RESPONSIBILITIES:

 VDP & Bug Bounty Triage

• Review and triage vulnerability submissions from external researchers.
• Validate technical accuracy, exploitability, and business impact.
• Assess severity and impact in alignment with established scoring models and program standards.
• De-duplicate and disposition invalid or non-actionable submissions.
• Classify vulnerabilities using established taxonomy.
• Identify and assign remediation owners using established processes.
• Support vulnerability tracking within centralized tools.

False Positive Review & Validation

• Evaluate false positive requests from application teams.
• Analyze scanner findings (SAST/SCA) and perform source code review as needed to validate findings.
• Determine validity and provide evidence-based disposition with rationale.

Operational Support

• Contribute to continuous improvement of triage standards, playbooks, and procedures.
• Maintain awareness of common application security vulnerabilities and emerging threats.

Risk & Compliance Support

• Ensure vulnerability handling aligns with internal policies, standards, and regulatory expectations.
• Maintain defensible documentation and provide supporting evidence for audit, regulatory, and internal review requirements.
• Escalate high-risk or time-sensitive vulnerabilities as appropriate.

Stakeholder Communication

• Communicate findings, impact, and remediation guidance clearly.
• Partner with application and engineering teams to enable timely remediation.

MINIMUM KNOWLEDGE, SKILLS & ABILITIES REQUIRED:

• Bachelor’s degree in computer science, Information Security, or related field, or equivalent practical experience.
• 3–5 years of related experience in information security, application security, or vulnerability management.
• Strong understanding of application security principles, secure development practices, and common vulnerabilities (e.g., OWASP Top 10).
• Experience with vulnerability triage, validation, and prioritization.
• Familiarity with vulnerability scanning tools and outputs (e.g., SAST, SCA, DAST).
• Ability to review and understand source code to validate vulnerabilities.
• Strong analytical skills to assess exploitability and business risk.
• Experience with vulnerability management or tracking platforms (e.g., ticketing systems, dashboards).
• Strong attention to detail and ability to make defensible decisions.
• Must be able to communicate ideas both verbally and in writing to management, business and IT sponsors, and technical resources in language that is appropriate for each group.
• Previous experience working with distributed or offshore teams desired.
• Financial industry experience is a plus.