Software Guidance & Assistance, Inc., (SGA), is searching for a
Product Security Engineer for a
contract assignment with one of our premier SaaS clients in Lehi, UT. Also open to remote candidates.
We are seeking a Product Security Engineer to support our Bug Bounty program on a 6-month contract engagement, backfilling a team member on leave. You will be the frontline responder for external vulnerability reports submitted through the program, working closely with internal engineering and security teams to ensure timely, accurate triage and resolution.
Responsibilities: - Triage incoming vulnerability reports submitted via the bug bounty platform, assessing validity, impact, and scope.
- Assign CVSS scores and severity ratings accurately, following internal severity guidelines and industry standards.
- Reproduce proof-of-concept (PoC) exploits to validate reported vulnerabilities across web, API, and mobile surfaces.
- Communicate clearly and professionally with external researchers: request clarifications, provide status updates, and manage expectations.
- Coordinate with product engineering teams to route confirmed vulnerabilities for remediation.
- Identify duplicate, out-of-scope, or informational reports and close them with clear, respectful explanations.
- Contribute to internal documentation, triage runbooks, and severity calibration guidelines.
- Flag systemic or critical findings to Bug Bounty team for escalation as needed.
Required Skills: - 3+ years of experience in application security, penetration testing, or a bug bounty / vulnerability disclosure role.
- Strong understanding of CVSS v3.1 scoring and hands-on experience applying it to real-world vulnerabilities.
- Proficiency in common web vulnerability classes: XSS, SQL injection, SSRF, IDOR, authentication flaws, and business logic issues.
- Ability to reproduce and validate PoC exploits using tools such as Burp Suite, browser DevTools, curl, and custom scripts.
- Familiarity with bug bounty platforms (e.g., HackerOne, Bugcrowd) and responsible disclosure processes.
- Solid written communication skills - able to write clear, constructive responses to researchers of all skill levels.
- Familiarity with attacker techniques used by external researchers against LLM systems and generative AI products.
- Knowledge of application security vulnerabilities (OWASP Top 10) and mitigation techniques.
SGA is a technology and resource solutions provider driven to stand out. We are a women-owned business. Our mission: to solve big IT problems with a more personal, boutique approach. Each year, we match consultants like you to more than 1,000 engagements. When we say let's work better together, we mean it. You'll join a diverse team built on these core values: customer service, employee development, and quality and integrity in everything we do. Be yourself, love what you do and find your passion at work. Please find us at .
SGA is an Equal Opportunity Employer and does not discriminate on the basis of Race, Color, Sex, Sexual Orientation, Gender Identity, Religion, National Origin, Disability, Veteran Status, Age, Marital Status, Pregnancy, Genetic Information, or Other Legally Protected Status. We are committed to providing access, equal opportunity, and reasonable accommodation for individuals with disabilities in employment, and our services, programs, and activities. Please visit our company to request an accommodation or assistance regarding our policy.