Vulnerability Research Engineer

GitLab’s Vulnerability Research team is a security research and development team, that focuses on improving GitLab’s security detection capabilities, including SAST/DAST and future products.

GitLab’s Vulnerability Research team is a security research and development team, that focuses on improving GitLab’s security detection capabilities, including SAST/DAST and future products. For more information about our security products, please review Secure and Software Supply Chain Security stages, as well as documentation.

The Vulnerability Research team works closely with GitLab Security (Security Research, Application Security, et al), Development, and Product teams to build, tune and improve the efficacy of the security products that are integrated into GitLab.

Vulnerability Research Engineers perform research to analyze software vulnerabilities, exploitation methods, track new vectors, discover novel methods and approaches in software security, apply this knowledge to the security products and GitLab itself. To get a better sense of what the team does daily, you can browse some of the past information sharing sessions.

Job grade

The Vulnerability Research Engineer is a grade 6.

Responsibilities

  • Dedicate all bandwidth to dogfooding and contributing directly to the Secure and Software Supply Chain Security products.
  • Carry out research and come up with proofs of concept that affect the security products and GitLab.
  • Curate (dependency scanning) advisory databases. This is a semi-automatic task that includes auditing/reviewing, editing existing and adding new advisories to the database while, at the same time, trying to automate repetitive tasks away as much as possible.
  • Build/develop benchmarks to test the efficacy of scanning and detection products.
  • Measure and Improve the efficacy of scanning and detection products over time.
  • Conduct code review of Ruby and Go backend code.
  • Build/develop/improve solutions in the area of static and dynamic analysis.
  • Write detailed technical reports.
  • Assess security product output results and conduct root cause analysis to improve efficacy.
  • Respond to internal and external customer inquiries on vulnerabilities and related topics.

Requirements

  • 2+ years of direct experience in developing and improving vulnerability detection products in the context of web security.
  • Knowledge of the vulnerability management process.
  • Knowledge of software composition analysis (SCA) and software supply chain ecosystems.
  • Knowledge about compilers, compiler design and construction.
  • Experience with source code analysis, static application security testing (SAST), and dynamic application security testing (DAST).
  • Experience developing automated web security testing/analysis tools.
  • Knowledge about benchmarking for testing the efficacy of scanning and detection products.
  • Experience completing code reviews of Ruby and Go backend code.
  • Experience in product development.
  • You have a passion for security and open source.
  • You are a team player, and enjoy collaborating with cross-functional teams.
  • You are a great communicator (written and verbal).
  • You employ a flexible and constructive approach when solving problems.
  • You are curious and like to explore, experiment.
  • Our values of collaboration, results, efficiency, diversity, iteration, and transparency resonate with you.

Nice-to-have’s

  • Experience with abstract interpretation, program analysis methods.
  • Experience with binary analysis, reverse-engineering.
  • Experience with exploit development.
  • Scientific data analysis skills.
  • Bug-hunting experience.
  • 0day discoveries, CVEs.

Levels

Senior Vulnerability Research Engineer

Job grade

The Senior Vulnerability Research Engineer is a grade 7.

Responsibilities

  • Leverage security expertise in at least one specialty area.
  • Experiment with technology.
  • Come up with proofs of concept.
  • Author and improve security benchmarks.
  • Triage and handle/escalate issues in security products independently.
  • Conduct security product output reviews and make recommendations.
  • Exercise great written and verbal communication skills.
  • Write public blog posts and represent GitLab as a speaker at security conferences.
  • Screen candidates for security-related positions during hiring process.

Staff Vulnerability Research Engineer

The Staff Vulnerability Research Engineer role extends the Senior Vulnerability Research Engineer role. As a recognized security expert in multiple specialty areas, with cross-functional team experience, a Staff Vulnerability Research engineer projects skills and experience across the entire organization, willing and able to challenge assumptions and the status quo in the industry.

Job grade

The Staff Vulnerability Research Engineer is a grade 8.

Responsibilities

  • Extends the Senior Vulnerability Research Engineer Responsibilities.
  • Make security product decisions and advise on architecture from the security perspective.
  • Provide actionable and constructive feedback to cross-functional teams.
  • Implement security technical and process improvements.
  • Author technical security documents.
  • Drive new major efforts, carry a strong sense of ownership.
  • Coach and help team members grow both personally and professionally.
  • Exercise exquisite written and verbal communication skills.
  • Author questions/processes for hiring and screening candidates.
  • Exhibits a deep understanding of GitLab products, how customers use them, and how they fit into the larger business.
  • Leveraging their increasingly on-demand time to help others and enable them to move forward.

Principal Vulnerability Research Engineer

The Principal Vulnerability Research Engineer role extends the Staff Vulnerability Research Engineer role.

Job grade

The Principal Vulnerability Research Engineer is a grade 9.

Responsibilities

  • Extends the Staff Vulnerability Research Engineer Responsibilities.
  • Works with others across the organization to help team members grow their understanding of their team’s domain and technology.
  • Conducts both novel technical research and market research to determine where teams would best allocate their time.
  • Works directly with PMs and engineering teams to get buy-in and ensure that successful proof of concepts can make its way into the product.
  • Looks for opportunities for process improvements and opportunities to exhibit leadership for organizational initiatives.
  • Works frequently with other teams to coordinate major changes leading to efficient solutions.
  • Blends technical strategy, product strategy, and design strategy to help the vulnerability research team to be more productive internally and when interacting with other teams.
  • Exposes technology and organizational needs across their sub-department.
  • Knows when to delegate new opportunities to team members to allow for professional and personal growth.
  • Writes public blog posts that are references by the security press. Represents GitLab as a speaker at major security conferences like BlackHat and RSA.
  • Making responsible decisions and evaluating tradeoffs on high priority / high impact initiatives.
  • Having a broad skill-set with in-depth expertise in several areas.
  • Taking on cross-team complex requirements and decomposing them into a proposal of small deliverables.
  • Engaging in the Architecture Practice to contribute to and help with the most challenging technical initiatives.
  • Playing a central role in technical, business, and organizational contributions affecting the sub-department/department.
  • Planning research work with a 6+ month view.
  • Ensuring that OKR level goals are aligned across several teams in their sub-department.
  • Guiding conversations to remove blockers and encourage collaboration across teams.
  • Providing a point of escalation for sub-department teams facing complex technical challenges.
  • Attaining a measurable impact on the work of sub-department teams.
  • Interacting with customers and other external stakeholders as a consultant and spokesperson for the work of their sub-department.
  • Identifying slow and inefficient code across multiple products.
  • Possesses a vast knowledge of programming languages and their frameworks.

Performance Indicators

Career ladder

For more details on the engineering career ladders, please review the engineering career development handbook page.

Hiring process overview

Candidates for this position can expect the hiring process to follow the order below. Please keep in mind that candidates can be declined from the position at any stage of the process. To learn more about someone who may be conducting the interview, find their job title on our team page.

As always, the interviews and screening call will be conducted via a video call. See more details about our hiring process on the hiring handbook.

 


About GitLab

GitLab is an open core software company that develops the most comprehensive AI-powered DevSecOps Platform, used by more than 100,000 organizations. Our mission is to enable everyone to contribute to and co-create the software that powers our world. When everyone can contribute, consumers become contributors, significantly accelerating the rate of human progress. This mission is integral to our culture, influencing how we hire, build products, and lead our industry. We make this possible at GitLab by running our operations on our product and staying aligned with our values. Learn more about Life at GitLab. Thanks to products like Duo Enterprise, and Duo Workflow, customers get the benefit of AI at every stage of the SDLC. The same principles built into our products are reflected in how our team works: we embrace AI as a core productivity multiplier. All team members are encouraged and expected to incorporate AI into their daily workflows to drive efficiency, innovation, and impact across our global organisation.

See our culture page for more!

Work remotely from anywhere in the world. Curious to see what that looks like? Check out our remote manifesto and guides.

Last modified February 4, 2025: Change ref links to regular links (64832a18)