About the Team

The Semgrep Supply Chain Security Research Team’s mission is to help our customers secure their code by building the world’s most sophisticated and comprehensive supply chain tool and ruleset. We are responsible for helping our users identify vulnerabilities and building tooling to enable our operational work.

We want to protect customers from emerging threats. We are a highly curious and driven group that helps each other grow and learn.

We collaborative cross functionally. For example, we partner with multiple Product teams, including both Supply Chain and Secrets, to support rule writing or build and improve tooling.

Our core disciplines are security engineering, rule writing, and security research.

About the role

As a Security Researcher at Semgrep, you will research open source vulnerabilities and write Semgrep rules to help secure our customers against the latest threats. Initially, this may be more tactically focused, with many opportunities to grow, build, and expand your Security Researcher experience and career across disciplines. You’ll work on building and improving tooling to help scale our team of Security Researchers.

You will be working closely with full stack developers, Security Researchers, program analysis experts, and infrastructure engineers. You will learn from senior Security Researchers who bring experience and wisdom from years of running AppSec programs, working as security consultants, and discovering new CVEs. There will be opportunities to work with our customers’ security teams at companies ranging from early-stage startups to social-media giants, to learn about their security philosophies.

You’ll attend lunch and learns across the company - learning about everything from advanced type systems to product paradigms - and have opportunities to present your own work. As a Security Researcher, there will be opportunities to speak directly to customers who are using the rules you write. Getting broad exposure and seeing how your work impacts our customers end to end is part of what makes working at an early-stage startup unique.

Location expectations:

• Our preference is that this role will be based in our San Francisco / New York / Boston office 2 to 3 days per week.

You will:

• Research new and previously observed vulnerabilities to understand what makes them dangerous
• Write Semgrep rules and execute daily operational tasks, such as PR reviews
• Improve and develop new automation to support the team with writing high quality rules
• Build maintainable and extensible tooling and identify opportunities to build new tools
• Leverage data to guide decision making and to improve the performance and quality of our rules
• Collaborate with teams through code reviews, new language support, design discussions, and demos

You are ideal for this role if you:

• Are able to read and write code, scripting is okay
• Have an understanding of CVEs, vulnerabilities, and supply chain security basics
• Have a passion for learning more about securing code
• Are motivated to build a career in application security or security research

Compensation

Salary Range: $ 135,000-$145,000

Our compensation package includes equity and benefits in addition to salary.

Please note that the range listed is for someone based in the San Francisco Bay Area.