About the Role
We are seeking a hardworking Sr. Security Technologist to join our Vulnerability Discovery team and manage Uber's Bug Bounty Program! In this role, you will build relationships with the security research community through daily interactions, virtual promo bug bounty events and live hacking events. In addition, you will be verifying bug bounty reports, performing root cause analysis, and assessing their impact while partnering with engineering teams to track vulns through remediation. The ideal candidate will be able to work effectively with external and internal partners in a collaborative and fast paced environment.What You'll Do
- Lead bug bounty program strategy, manage public and private bug bounty projects, and assist with live event and virtual promo event planning and execution.
- Oversee the end to end report lifecycle from triage to resolution, including managing triage and escalation for inbound reports, performing root cause analysis, managing state transitions, and tracking internal remediation tickets.
- Work closely with engineering teams across Uber to help them understand the risk, track remediation timelines, and ensure reports are remediated within the defined SLAs.
- Manage bug bounty payouts, including leading payout meetings and building monthly reports for security leadership.
- Identify program trends and feed new bug bounty reports into our static analysis rule creation process.
- Maintain program documentation, e.g., updating scope changes or changes to internal process documents.
- Generate global intelligence reports on past bug bounty escalations.
- Bachelor's in Computer Science or a related field or equivalent industry experience
- Experience finding and fixing common security vulnerabilities (e.g., OWASP Top 10)
- Familiarity with software development lifecycle.
About the Team
- Master's in Computer Science or a related field.
- Prior bug bounty program management experience.
- Ability to work with and get consensus from cross functional teams.
- Organized, self-motivated, and comfortable in a fast-paced environment.
- Ability to motivate internal teams to prioritize security vulnerabilities in addition to OKR work.
We are a team of rockstar engineers who lead the principled vulnerability discovery initiative at Uber. We ensure that all code at Uber adheres to company-wide security standards and is devoid of known security vulnerabilities.
To that end, we design, develop and deploy automation to detect, track and remediate vulnerabilities in over 5,000 services.
In addition, we crowdsource security intelligence via our Bug Bounty program, red team exercises, as well as manual and automated security audits.
Finally, we use research-quality CFG and DFG principles to codify the latest security breakthroughs into custom queries, which we then deploy across our fleet of advanced security scanners. As a result, we expand the return on investment of our manual labor. Our constantly increasing corpus of security queries enables us to perform automated, systematic and comprehensive security analysis across all of Uber's applications and services.