Security Research Engineer / Vulnerability Hunter
Semmle believes security is a shared responsibility. Our mission is to secure the code that runs the world by bringing the security and development communities together. At the heart of this is the Semmle Security Research Team
: we find security vulnerabilities in the most commonly used open source software and help to eradicate them before they become a problem.
We are looking for people who are talented at finding bugs, skilled at writing exploits, or adept at source code analysis and are interested in helping us secure software, together.
We are open to candidates in any of the following locations: Oxford, Valencia, Copenhagen, New York, San Francisco, Seattle, Buenos Aires, Athens, Madrid or to be based remotely.
We are interested in talking to people at any point in their career, from Interns to Seniors.
- Ability to find security vulnerabilities in source code.
- Prior exposure / participation / experience in Software Security (commercially, academically or through personal work like bounty bug hunting, CTFs or publishing CVE’s)
- Enthusiasm for sharing your knowledge, by writing blog posts about your work and by publishing other technical details such as custom QL queries or well-documented PoCs .
- Ethical attitude towards the handling and disclosure of vulnerabilities.
Desirable skills (advantageous but not essential)
- Proven track record of finding security vulnerabilities. (Ideally, you have already been credited for finding several CVEs.)
- Software development experience on large code bases
- Advanced debugging techniques
- Exploit development, including mitigation bypass techniques
- Program analysis
- Declarative programming (QL is a declarative language, descended from Datalog)
As a member of Semmle’s Security Research Team, your primary responsibility will be to find security vulnerabilities in open-source projects. You will use a range of techniques including the use of Semmle’s QL
: our very own variant analysis engine for security researchers to quickly explore code to find zero-days and all variants of vulnerabilities.
We measure our success by the number of CVEs that we find
, so you will responsibly report every vulnerability that you find and apply for a CVE. You will also share your expertise with others, through blog
posts, QL queries, and well-documented exploit PoCs
. You will also occasionally help us with targeted security audits for our customers.
We take the ethics of what we do seriously and operate according to a clear disclosure policy
. You will hopefully share our values and commitment to ethical disclosure. When we are rewarded with bug bounties we donate the money to charity and open source our findings so that everyone can benefit from our research.
Semmle is a scale-up software company with <100 staff, >60 Engineers, >30 PhDs, >100 patents and >50 CVEs. We are privately held, profit-generating and backed by top-tier investors including Accel Partners. We offer intellectually stimulating work, competitive salaries, and a relaxed work environment.
Semmle believes security is a shared responsibility
. Our mission is to secure the code that runs the world by bringing the security and development communities together. Google, Microsoft, NASA, Uber, Palantir and many others daily rely on Semmle’s products to scale their security expertise and quickly explore any code base to discover code quality issues, bugs, zero-days and all variants of vulnerabilities. To see how we’re doing this, check out the blog
and start writing your own queries with LGTM & QL
We are dedicated to improving open source software by making it more secure for its users and committed to the ethical disclosure of all security vulnerabilities
we find. Any bug bounties we receive, we donate to charity. If you share our values then please help us in securing software, together.
How do you apply?
Semmle aims to hire outstanding people who have a diversity of perspectives, ideas and cultures. We actively support diversity and inclusion in the workplace and are committed to equal employment opportunity regardless of race, colour, ancestry, religion, sex, national origin, sexual orientation, gender identity, age, citizenship, marital status or disability status.
Please complete the following form to apply, or feel free to get in touch with Zac Wallis at email@example.com
for more information.