Semmle believes security is a shared responsibility. Our mission is to secure the code that runs the world
by bringing the security and development communities together. At the forefront of this is the Semmle Security Research Team
: we search for security vulnerabilities in the most commonly used open source software. We take the ethics of what we do seriously and operate according to a clear disclosure policy
. Any bug bounties that we receive, we donate to charity.
We are looking for people who are talented at finding bugs and would like to use variant analysis
to become even more effective. We use Semmle’s QL query language to analyze the source code. This means that we are particularly interested in people who have a talent for spotting bugs by reading code. We are also looking for people who are skilled at writing exploits, because a PoC is an essential component of a high-quality security report.
We are interested in talking to people at any point in their career: from Interns to Seniors and above.
- Ability to find security vulnerabilities in source code
- Prior exposure / participation / experience in Software Security (commercially, academically or through personal work like bounty bug hunting, CTFs or publishing CVE’s)
- Enthusiasm for sharing your knowledge, by writing blog posts about your work and by publishing other technical details such as custom QL queries or well-documented PoCs
- Ethical attitude towards the handling and disclosure of vulnerabilities
Desirable skills (advantageous but not essential)
- Proven track record of finding security vulnerabilities (ideally, you have already been credited for finding several CVEs)
- Software development experience on large code bases
- Advanced debugging techniques
- Exploit development, including mitigation bypass techniques
- Program analysis
- Declarative programming (QL is a declarative language, descended from Datalog)
As a member of Semmle’s Security Research Team, your primary responsibility will be to find security vulnerabilities in open-source projects. We measure our success by the number of CVEs that we find
, so you will responsibly report every vulnerability that you find and apply for a CVE, credited to “Your Name
of Semmle Security Research Team”. You will also share your expertise with others, through blog posts
, QL queries
, and well-documented exploit PoCs
. And you will occasionally help us with targeted security audits for our customers.
Semmle believes security is a shared responsibility. Our mission is to secure the code that runs the world by bringing the security and development communities together. Google, Microsoft, NASA, Uber, Palantir and many others rely on Semmle’s products to scale their security expertise and quickly explore any codebase to discover zero-days and all variants of vulnerabilities. We empower product security teams to deliver variant analysis results to development teams using LGTM to ship safe code and protect their customers. Semmle's platform enables the security community to collaborate and share their expertise in the field of variant code analysis and security research.
We offer intellectually stimulating work, competitive salaries, and a relaxed work environment in Oxford, Valencia, Copenhagen, New York, San Francisco or Seattle.
How do you apply?
Semmle aims to hire outstanding people who have a diversity of perspectives, ideas and cultures. We actively support diversity and inclusion in the workplace and are committed to equal employment opportunity regardless of race, colour, ancestry, religion, sex, national origin, sexual orientation, gender identity, age, citizenship, marital status or disability status.
Please complete the following form to apply or feel free to get in touch with Zac Wallis at email@example.com
for more information. www.semmle.com
We encourage applicants to let us know of any accessibility requirements, so that we may provide the best possible support during the application process and your time at Semmle.