
Vercel · Hybrid - San Francisco
ABOUT VERCEL: Vercel is the agentic infrastructure company. We free people and agents to ship what’s next. For more than a decade, Vercel has shaped how the w...
Vercel is the agentic infrastructure company. We free people and agents to ship what’s next.
For more than a decade, Vercel has shaped how the web is built. As the team behind Next.js, v0, and AI SDK, we create products
that help builders move from idea to production with speed, security, and exceptional developer experience.
Now, software is entering a new era, and the next generation of products will not just be used by people. They will be built,
extended, and operated by agents.
We are building the platform for that future, trusted by companies like OpenAI, PayPal, Ramp, Supreme, and millions of developers
worldwide. Whether you’re building our products, supporting our customers, growing our community, or shaping our story, you’ll
help define what comes next.
Traditional product security teams work one report at a time: a person triages a bug bounty submission, validates it, reproduces
it, and hands it off for a fix. That doesn't scale past a certain volume, and Vercel is well past it. Adding more triagers doesn't
close that gap. Building the systems that triage at that scale does.
This role is about building that system. Your core focus is tooling that triages and validates bug bounty and other externally
reported security findings at scale, reasoning about validity, severity, and reproducibility the way a human triager would, but
continuously and at volume. And we want to go beyond triage. The real leverage is in connecting a validated finding to its root
cause and driving the fix, ideally with the remediation itself proposed or opened automatically for well-understood vulnerability
classes.
More broadly, this is a mandate to rethink traditional security tooling for how Vercel actually operates: agent-scale testing and
automation in place of processes built for a much smaller company. This role also has real scope to build tooling that gives our
customers their own security testing capabilities for what they build on Vercel, not just harden Vercel's own surface.
Because of this, we're optimizing for someone who wants to build systems, not someone whose background is manual penetration
testing. A software engineer with a strong desire to move into security, or a security engineer with a strong engineering
background, is exactly who we're looking for.
If you're based within a pre-determined commuting distance of one of our offices (SF, NY, London, or Berlin), the role includes
in-office anchor days on Monday, Tuesday, and Friday. If you're located beyond that distance, the role is fully remote. For
location-specific details, please connect with our recruiting team.
externally reported vulnerabilities and automatically assess validity, severity, and reproducibility, at a volume no manual
triage process could match.
business logic, auth, and design-level findings, not just match against known signatures.
the reason it happened, not just the one report that came in.
itself for well-understood vulnerability classes, with the right human review gates in place.
modeling, ad hoc code review, point-in-time pentests) still make sense at Vercel's scale, and build the agent-driven tooling
that replaces or augments them.
tooling, so every report gets resolved and makes the automated triage smarter for the next one.
products into a capability customers can use to test the security of what they build and deploy on the platform.
experience. You'd rather build the system that triages a thousand reports than work through them one at a time. We're equally
excited by a software engineer who wants to move into security and a security engineer with a strong engineering background; a
manual pentesting background alone is not what this role is optimized for.
to assess an externally reported finding, reproduce it, and judge severity, and you understand what makes that process hard to
scale.
can reliably validate, root-cause, and fix vulnerabilities today, and where they can't yet.
class of bug happen," rather than closing the one ticket in front of you.
what it looks like at Vercel rather than inherit a playbook.
frameworks (ideally Next.js or React and Node-based frameworks), so you can read and validate the code your tooling is
analyzing.
entries). These demonstrate your depth of knowledge, though they are not required.
Vercel is committed to fostering and empowering an inclusive community within our organization. We do not discriminate on the
basis of race, religion, color, gender expression or identity, sexual orientation, national origin, citizenship, age, marital
status, veteran status, disability status, or any other characteristic protected by law. Vercel encourages everyone to apply for
our available positions, even if they don't necessarily check every box on the job description.
The San Francisco, CA base pay range for this role is $208,000.00 - $312,000.00. Actual salary will be based on job-related
skills, experience, and location. Compensation outside of San Francisco may be adjusted based on employee location. The total
compensation package may include benefits, equity-based compensation, and eligibility for a company bonus or variable pay program
depending on the role. Your recruiter can share more details during the hiring process.
ABOUT VERCEL: Vercel is the agentic infrastructure company. We free people and agents to ship what’s next. For more than a decade, Vercel has shaped how the web is built. As the team behind Next.js, v0, and AI SDK, we create products that help builders move from idea to production with speed, security, and exceptional developer experience. Now, software is entering a new era, and the next generation of products will not just be used by people. They will be built, extended, and operated by agents. We are building the platform for that future, trusted by companies like OpenAI, PayPal, Ramp, Supreme, and millions of developers worldwide. Whether you’re building our products, supporting our customers, growing our community, or shaping our story, you’ll help define what comes next. ABOUT THE ROLE v0 turns natural language into working, deployed applications. An agent writes code, executes it, and ships it on a user's behalf. That makes v0 one of the most interesting and highest-stakes security surfaces at Vercel: sandboxed code execution, multi-tenant isolation, permission boundaries between what a user asked for and what the agent actually did, and resistance to prompt injection and tool misuse. We're looking for a Senior (IC4) software engineer with a strong security background to sit fully embedded inside the v0 team, not as a rotating auditor who reviews designs and files tickets, but as a peer engineer who owns security end to end for everything v0 ships. That means finding and fixing vulnerabilities yourself, building security features directly into the product, reviewing every new feature and launch before it goes out, and running the relationship with our HackerOne researcher community for anything v0-related. You'll spend real time being a great generalist engineer: building features, fixing bugs, shipping to production alongside the rest of the team. The difference is that you bring security judgment and hands-on ownership to everything the team builds, and you're the one who catches the sandbox escape, the auth gap, or the injection vector before it ships, rather than after. This role reports into the security organization but is deployed full-time with v0, and is evaluated as much on shipped product velocity as on security outcomes. As a senior (IC4) engineer, you're expected to operate independently, set the security bar for the team, and be trusted to make the final call on v0-specific tradeoffs. WHAT YOU WILL DO * Find and fix issues yourself: Proactively hunt for vulnerabilities across v0, from code you're reviewing to systems you're actively poking at, and ship the fix, not just the finding. * Build security features directly into the product: Design and implement the security-facing functionality itself (sandboxing/isolation controls, permission boundaries, abuse detection, safe defaults for generated apps) as a normal part of the v0 roadmap, not a side project. * Review all new v0 features and launches: Be the security reviewer of record for everything the team ships (new capabilities, generated-app patterns, integrations) before it goes out the door. * Own the HackerOne relationship for v0: Triage, validate, and drive fixes for reports from Vercel's HackerOne researcher community that touch v0, and work directly with researchers on reproduction and remediation. * Own the v0 threat model: Understand and continuously refine how v0 generates, executes, and deploys code, including sandbox/runtime isolation, permission boundaries between agent actions and user intent, and defenses against prompt injection and tool-use abuse. * Harden code execution boundaries: Work directly on how agent-generated code is scoped, sandboxed, and constrained before it touches real infrastructure, including Vercel's own sandbox and serverless runtimes. * Build guardrails that don't slow the team down: Create patterns, libraries, and checks that let v0 engineers ship new generated-app capabilities quickly without reintroducing known bug classes (auth, SSRF, injection) each time. * Partner with central Product Security: Share threat models, incident learnings, and SDLC tooling with the broader security team, while making the final call on v0-specific tradeoffs since you have the deepest context on the product. * Respond to v0-specific security reports and incidents: Be the first responder and technical owner when a security issue is reported against v0 specifically. * Think like an attacker, and like an agent: Reason about how a user, or an agent acting on that user's behalf, could misuse v0 to attack itself, other tenants, or the platform underneath it. ABOUT YOU * You're a software engineer first: 5+ years building and shipping production web applications, at a level where you operate independently (IC4/Senior). You can pick up a normal feature ticket and ship it end to end, this is not a pure audit/review role. * Strong full-stack fundamentals: Comfortable in TypeScript, React, and Node, and able to work in the same codebase, PR flow, and velocity as the rest of the v0 team. * Real security judgment: You understand authN/authZ design, sandboxing and isolation, injection vulnerability classes, and can reason about "an AI agent writing and running code" as a novel attack surface, even if your background so far has been primarily software engineering rather than a security title. * You influence through code, not just process: You'd rather fix the root cause in a PR than write a policy doc about it. You can be the security conscience of a fast-moving team without becoming its bottleneck. * Comfortable with ambiguity: v0's threat model is still being written. You're excited to define it rather than inherit a mature playbook. * Willing to build with v0, not just secure it: You're happy to actually go use v0 to build things and understand how our products work end to end, not just read the code from the outside. BONUS IF YOU HAVE * Already a v0 user or familiar with how it and Vercel's broader product line work. * Hands-on experience with sandboxing, container isolation, or multi-tenant systems. * Done prompt injection / jailbreak / LLM application security research on an agentic or AI-powered product. * Previously shipped a coding agent, dev tool, or code-generation product end to end. * Relevant security certifications (OSCP, OSWE) or notable bug bounty / CTF history. Nice to have, not required for this role. * Enjoy building content and talking publicly about your work: blog posts, conference talks, or research writeups. We'd love for this role to help tell the story of how v0 approaches security, not just do the work quietly. BENEFITS: * Competitive compensation package, including equity. * Inclusive Healthcare Package. * Learn and Grow - we provide mentorship and send you to events that help you build your network and skills. * Flexible Time Off. * We will provide you the gear you need to do your role, and a WFH budget for you to outfit your space as needed. The San Francisco, CA base pay range for this role is $208,000.00 - $312,000.00. Actual salary will be based on job-related skills, experience, and location. Compensation outside of San Francisco may be adjusted based on employee location. The total compensation package may include benefits, equity-based compensation, and eligibility for a company bonus or variable pay program depending on the role. Your recruiter can share more details during the hiring process. Vercel is committed to fostering and empowering an inclusive community within our organization. We do not discriminate on the basis of race, religion, color, gender expression or identity, sexual orientation, national origin, citizenship, age, marital status, veteran status, disability status, or any other characteristic protected by law. Vercel encourages everyone to apply for our available positions, even if they don't necessarily check every box on the job description.
ABOUT VERCEL: Vercel is the agentic infrastructure company. We free people and agents to ship what’s next. For more than a decade, Vercel has shaped how the web is built. As the team behind Next.js, v0, and AI SDK, we create products that help builders move from idea to production with speed, security, and exceptional developer experience. Now, software is entering a new era, and the next generation of products will not just be used by people. They will be built, extended, and operated by agents. We are building the platform for that future, trusted by companies like OpenAI, PayPal, Ramp, Supreme, and millions of developers worldwide. Whether you’re building our products, supporting our customers, growing our community, or shaping our story, you’ll help define what comes next. ABOUT THE ROLE Vercel builds and maintains a broad portfolio of open source projects that power the modern web, running in millions of applications. Your primary focus will be Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro. A single structural fix at the framework level protects every one of those applications at once, which makes this one of the highest-leverage security roles at the company. We're looking for a security engineer who loves finding a whole class of vulnerability and eliminating it in one move, not someone who's satisfied filing one bug at a time. You'll run deep security assessments of framework internals (routing, middleware, caching, server actions, the build pipeline), find the systemic patterns that produce entire families of bugs, and drive the framework-level fixes and design changes that remove them permanently. You'll also own how these projects handle externally reported vulnerabilities, coordinated disclosure, and CVEs, working directly with maintainers and the open source security community. This includes hands-on ownership of Vercel's open source bug bounty program for these projects: triaging incoming reports, validating and reproducing findings, and driving fixes with the right maintainers. WHAT YOU WILL DO * Hunt for vulnerability classes, not individual bugs: Run deep security assessments of framework internals (routing, middleware, caching, data fetching, server actions/RSC boundaries, build tooling) to find the systemic design patterns that produce whole families of issues. * Drive root-cause framework fixes: Push design changes upstream that eliminate a category of vulnerability across every application built on the framework, rather than patching individual instances as they're reported. * Own vulnerability disclosure and CVEs: Triage security reports from the community and researchers across Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, Nitro, and other maintained OSS projects. Coordinate embargoed fixes, write and publish advisories, and manage the CVE/CNA process end to end. * Run the OSS bug bounty program for these projects: Own triage and validation of incoming reports to Vercel's open source bug bounty program for Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro. Reproduce findings, assess severity, and coordinate fixes with the right maintainers and researchers. * Get security into design early: Partner with framework maintainers and core teams during RFCs and design review, so new features ship with security considered from the first draft, not bolted on after a report comes in. * Build preventive tooling: Contribute linters, codemods, and CI checks that catch regressions of previously-fixed vulnerability classes before they land again. * Own supply chain security for these projects: Harden how dependencies, releases, and published packages for Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, and Nitro are built, signed, and distributed. As more contributions and dependency updates are generated or assisted by AI agents, build the review and provenance practices that keep that increased volume safe. * Work with the community, not around it: Engage directly with maintainers, contributors, and external researchers as peers. Bring pragmatic security recommendations to project discussions in a way that respects how these projects actually get built, and represent Vercel in coordinated disclosure norms and working groups when an issue spans multiple ecosystems. ABOUT YOU * You've actually used or broken these frameworks: You've built real things with Turborepo, Nuxt, Svelte/SvelteKit, SWR, Workflow, or Nitro (or closely comparable projects), or you've found and reported security issues in them. This is a hard requirement, not a nice-to-have: we need someone who understands what these projects actually do and how they're actually used, not a generalist parachuting in. * You have a deep appreciation and respect for open source work: You understand that these are community projects with maintainers, contributors, and users who care deeply about them, and you treat that with the seriousness it deserves. You're not here to slow the project down with process for its own sake. * 4+ years in security engineering, ideally with real hands-on open source contribution experience. You've actually sent PRs to projects like these, not just filed issues against them. * You're energized by root cause, not remediation count: Finding the one design flaw that kills fifty potential bugs is more satisfying to you than closing fifty tickets one at a time. * You can read framework internals, not just application code: Strong JavaScript/TypeScript fundamentals and genuine familiarity with how modern meta-frameworks work under the hood (routing, SSR/RSC, middleware, bundling/build systems). * Pragmatic, not theoretical: You can weigh real-world risk against maintainer and community bandwidth, and land on security improvements that actually ship, rather than the theoretically ideal fix that never gets merged. * Vulnerability research chops: Experience with structured security assessment methodology and coordinated/responsible disclosure processes, including handling embargoes and writing clear advisories. * Clear communicator: You can explain a vulnerability, a tradeoff, or a design recommendation clearly to maintainers, contributors, and non-security engineers alike, in writing and in conversation. * Comfortable operating in public: You're used to working transparently with external researchers, maintainers, and the community, not just inside a company's four walls. BONUS IF YOU HAVE * CVE credits or published security research, especially in JavaScript frameworks or the Node ecosystem. * Maintained or heavily contributed to a widely used open source project. * Experience with supply chain security tooling (Sigstore, SLSA/provenance, dependency and package scanning). * Thought about how increasing AI-agent-authored contributions change the risk model for open source maintenance. * Run or triaged for a bug bounty / vulnerability disclosure program before, ideally for open source projects. BENEFITS: * Competitive compensation package, including equity. * Inclusive Healthcare Package. * Learn and Grow - we provide mentorship and send you to events that help you build your network and skills. * Flexible Time Off. * We will provide you the gear you need to do your role, and a WFH budget for you to outfit your space as needed. The San Francisco, CA base pay range for this role is $208,000.00 - $312,000.00. Actual salary will be based on job-related skills, experience, and location. Compensation outside of San Francisco may be adjusted based on employee location. The total compensation package may include benefits, equity-based compensation, and eligibility for a company bonus or variable pay program depending on the role. Your recruiter can share more details during the hiring process. Vercel is committed to fostering and empowering an inclusive community within our organization. We do not discriminate on the basis of race, religion, color, gender expression or identity, sexual orientation, national origin, citizenship, age, marital status, veteran status, disability status, or any other characteristic protected by law. Vercel encourages everyone to apply for our available positions, even if they don't necessarily check every box on the job description.
ABOUT VERCEL: Vercel is the agentic infrastructure company. We free people and agents to ship what’s next. For more than a decade, Vercel has shaped how the web is built. As the team behind Next.js, v0, and AI SDK, we create products that help builders move from idea to production with speed, security, and exceptional developer experience. Now, software is entering a new era, and the next generation of products will not just be used by people. They will be built, extended, and operated by agents. We are building the platform for that future, trusted by companies like OpenAI, PayPal, Ramp, Supreme, and millions of developers worldwide. Whether you’re building our products, supporting our customers, growing our community, or shaping our story, you’ll help define what comes next. ABOUT THE ROLE: We are looking for a Security Engineer to join our Detection Response team. In this role, you will be responsible for managing Vercel’s internal Corporate Security (CorpSec) posture, monitoring for security anomalies, building additional detections and visibility mechanisms, and ensuring the overall security of our internal systems. You will work closely with various teams to support audits, optimize visibility, and handle security incidents as they arise. If you’re based within a pre-determined commuting distance of one of our offices (SF, NY, London, or Berlin), the role includes in-office anchor days on Monday, Tuesday, and Friday. If you're located beyond that distance, the role is fully remote. For location-specific details, please connect with our recruiting team. WHAT YOU WILL DO: * Monitor and respond to security alerts across multiple channels, including managed SOC escalations. * Maintain visibility and logging infrastructure, ensuring effective SIEM (Security Information and Event Management) operations. * Support security audits for PCI, SOC2, ISO, and other compliance frameworks, gathering evidence and collaborating with Engineering, GRC and the broader Security Division. * Proactively enhance security operations by developing and deploying new detections, security tooling and rigorously managing key security partners. * Work on security investigations, incidents, and urgent requests as they arise, as well as contributing to the build-out and continuous improvement of the on-call process to enhance efficiency and effectiveness. * Continuously act as a guardian to enable the business to navigate risk-based changes. * Manage and enhance email security, endpoint security posture (EDR, configuration, and management), GitHub administration best practices, and internal security tooling to strengthen Vercel's overall security framework ABOUT YOU: * Extensive experience in security operations, including SIEM management, security logging, and detection engineering. * Strong knowledge of AWS infrastructure and cloud security best practices. * Experience with GitHub administration and security controls. * Proficiency in SQL for data analysis and security investigations. * Hands-on experience with incident response, including detection, triage, and remediation. * Strong endpoint management skills across multiple operating systems (Mac, Windows, Linux). * Proficiency in at least one scripting language (Python, Bash) and one compiled language (Rust, Go). * Familiarity with serverless functions and API security is a plus. BONUS IF YOU: * Have experience working with managed SOC providers and security automation platforms. * Have worked in high-growth, cloud-native environments with a focus on scalability. * Are comfortable working in a fast-paced environment with shifting priorities. BENEFITS: * Competitive compensation package, including equity. * Inclusive Healthcare Package. * Learn and Grow - we provide mentorship and send you to events that help you build your network and skills. * Flexible Time Off. * We will provide you the gear you need to do your role, and a WFH budget for you to outfit your space as needed. The San Francisco, CA base pay range for this role is $208,000-$312,000. This salary range is an estimate. Actual salary will be based on job-related skills, experience, and location. The total compensation package also includes benefits and equity-based compensation. Your recruiter can share more about the specific pay range for your location during the hiring process. Vercel is committed to fostering and empowering an inclusive community within our organization. We do not discriminate on the basis of race, religion, color, gender expression or identity, sexual orientation, national origin, citizenship, age, marital status, veteran status, disability status, or any other characteristic protected by law. Vercel encourages everyone to apply for our available positions, even if they don't necessarily check every box on the job description.