Security Analyst

Distributed, US
Program Operations – Triage
HackerOne is looking for security-minded, customer-service oriented individuals to join the team responsible for HackerOne’s Fully Managed service offering. You will be responsible for vetting security vulnerability reports from some of the world's best hackers being submitted to Fortune 500 and other companies as part of their bug bounty programs. You will have the opportunity to work with some of the best hackers in the world and the security teams behind some of the most competitive bug bounty programs, gaining hands-on experience with thousands of vulnerabilities unique to HackerOne's customers.

The ideal candidate will be a self-starter, a problem solver, a great communicator, and detail oriented.

This role requires that you have both excellent communication skills to serve as the glue between the hacker community and companies running bug bounty programs, as well as the technical capacity to ensure every bug report is reproducible and provides value to each customer. This job is remote and can be performed from anywhere in the United States.


    • Review incoming vulnerability reports and reproduce issues, assessing the severity and impact of each issue within the context of each organization’s threat model
    • Work with hackers to identify missing information in reports, as well as help educate the community when reports are incorrect
    • Write a brief summary for each report, including clear reproduction steps, the impact of the issue, and remediation advice
    • Coordinate with our Customer Success team and customers to ensure smooth triage workflows for any programs you work with
    • Ensure clear and efficient communication between hackers and customers
    • Proactively identify and solve issues, as well as accept and quickly respond to delegated work; as we are distributed, being able to win as a team to solve problems is critical to our success


    • Top notch communication skills: need to be able to firmly, yet politely, respond to non-issues, as well as identify legitimate issues and communicate them to security teams in an easy to understand format
    • Strong technical knowledge around web application security: ability to identify and reproduce reported vulnerabilities, as well as assess contextual risk
    • In-depth knowledge of security fundamentals, including OWASP Top 10 and other common application security vulnerabilities. The Web Application Hacker’s Handbook is a great resource to be familiar with.
    • Familiarity with and ability to calculate CVSS ratings for identified vulnerabilities based on an understanding of each customer’s threat model.
    • Familiar with vulnerability disclosure and bounty programs, including: report formatting and content, confidentiality and disclosure processes, the importance of clear and quick communication between hackers and customers, program policies, etc.
    • Ability to prioritize and organize operationally complex work, with great attention to detail


    • Security consulting experience, such as: vulnerability assessment, code review, and penetration testing
    • 1+ years customer service or IT support experience
    • Network and web-related protocol knowledge (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols)
    • CISSP, OSCP/E, GWAPT, GPEN, GXPN certification is helpful, but not a necessity
    • Additional experience in IT, security engineering, system and network security, authentication and security protocols, and applied cryptography
    • Bootrom assessment experience
    • Experience with Dalvik/ART and Dex bytecode analysis

HackerOne was started by hackers and security leaders who are driven by a passion to make the internet safer. HackerOne is now the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be exploited. We partner with the global hacker community to surface the most relevant security issues of our customers before they can be exploited by criminals. More than 1,000 organizations, including the U.S. Department of Defense, General Motors, Google Play, Twitter, GitHub, Nintendo, Panasonic Avionics, Qualcomm, Starbucks, and Dropbox, trust HackerOne to find critical software vulnerabilities. HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, and Singapore.

As a team, we believe in integrity, transparency, trust, collaboration and community. We believe in the positive power of hackers and work tirelessly to promote the success of our community to the broader, mainstream audience.