Associate Vulnerability Analyst
Who We Are
npm is the world’s largest software repository, with over 10 million users and over 26 billion software package downloads every month.
What You'll Do
npm audit made security top of mind for our 10 million users by improving the security of the npm ecosystem overnight. Do you want to help make this better and improve the security of the npm Registry?
Our Security team values empathy for the people we work with and the community we work for. We are purposeful in our actions and effective at collaboration.
In this position, you’ll get to:
- Triage vulnerability reports for the npm ecosystem and npm products and services
- Author and edit security advisories for use in our security products
- Create proof-of-concept exploits to demonstrate impact for valid vulnerability reports
- Facilitate communication between outside security researchers and npm package maintainers to help enable security bugs to get fixed
- Conduct research to find vulnerabilities in npm packages or discover previously unknown malware to help keep the npm Registry more secure
- Review, provide guidance, or take action on the findings from our vulnerability scanners, and automated security systems, eliminating false positives, and finding ways to improve this tooling
- Develop tools to automate tasks where possible
You may not know how to do all of these tasks already, but you demonstrate the potential and passion to learn and grow.
Our Code of Conduct
npm is a piece of technology, but more importantly, it is a community.
We believe that our mission is best served in an environment that is friendly, safe, and accepting; free from intimidation or harassment. We do not tolerate abusive behavior. See our unabridged code of conduct here.
Why You Should Join
In joining the npm team, you'll become an important part of a small but dedicated security team. We strive to provide a sensible working environment that doesn't ask for or encourage habitual overtime and we offer flexibility in schedule. We have a progressive parental leave policy and vacation time is not just encouraged, but celebrated. We also understand that healthy schedules lead to better outcomes. To help ensure this balance we have contracted support night coverage so we don't interrupt anyone's sleep.
We believe that high-performing teams include people from different backgrounds and experiences who can challenge each other's assumptions with fresh perspectives. To that end, we actively seek a diverse pool of applicants, including those from historically marginalized groups — women, people with disabilities, people of color, formerly incarcerated people, people who are lesbian, gay, bisexual, transgender, and/or gender nonconforming, first and second generation immigrants, and people from low-income families.