RAPIDFORT

Senior Linux Distribution Engineer — Software Supply Chain Security

Remote

United StatesPosted 2 weeks ago$150,000–$200,000Website

Apply on LinkedIn →

At a Glance

5+ years experiencePythonGoCI/CDDevSecOps

About This Role

We are looking for a deeply technical Linux Distribution Engineer to build, maintain, and secure Linux package ecosystems and hardened container images across modern cloud-native platforms. This role sits at the intersection of Linux distributions, package management, and software supply chain security. You will own the lifecycle of identifying vulnerabilities, validating fixes, rebuilding or backporting packages across distribution branches, maintaining trusted package repositories, and ensuring secure software delivery at scale. You will work across multiple Linux distribution ecosystems to build, maintain, secure, and deliver production-ready packages and container images tailored to customer environments. The role requires deep expertise in Linux packaging, dependency management, repository management, compatibility validation, and automated software delivery at scale. This is a hands-on engineering role focused on Linux internals, package systems, dependency management, build pipelines, repository management, and automation — not simply vulnerability scanning or policy compliance. You will collaborate closely with platform engineering, infrastructure, DevOps, release engineering, and security teams to improve how software is built, validated, secured, and distributed across containerized environments.

Responsibilities

Own end-to-end vulnerability remediation across Linux package ecosystems and container images
Analyze CVEs affecting OS packages, runtimes, libraries, and transitive dependencies across multiple Linux distributions
Validate upstream fixes, evaluate patch applicability, and determine appropriate remediation strategies
Rebuild, backport, patch, curate, sign, and publish packages across multiple Linux distribution branches
Maintain and manage trusted package repositories across diverse Linux ecosystems
Resolve complex dependency, compatibility, and ABI issues across distributions and package versions
Ensure package and image updates do not break customer environments, builds, or runtime compatibility
Design and scale automated pipelines for package rebuilding, validation, remediation, signing, publishing, and image generation
Integrate package validation, repository management, and remediation workflows into pipelines
Generate and maintain SBOMs, package metadata, provenance data, and trusted software artifacts
Improve image performance, package footprint, startup efficiency, and operational reliability
Research emerging threats and best practices in Linux distributions, containers, Kubernetes, and software supply chain security

Requirements

DevSecOpsPythonGoCI/CD

5+ years of experience in Linux systems engineering, Linux distribution engineering, platform engineering, DevSecOps, release engineering, or SRE
Deep expertise in Linux distributions and package ecosystems
Strong experience with Linux package build systems and tooling including rpmbuild, dpkg-buildpackage, APKBUILD/abuild, and associated repository and release tooling
Strong hands-on experience with Linux package managers including dpkg/apt, rpm/yum/dnf, apk, and associated repository tooling
Proven experience rebuilding, patching, backporting, maintaining, or publishing Linux packages across distribution versions
Strong understanding of package repositories, dependency resolution, ABI compatibility, package signing, and release workflows
Experience identifying and remediating vulnerabilities within Linux packages and containerized environments
Deep understanding of container internals, Linux, namespaces, and runtime behavior
Strong scripting or programming skills in Bash, C/C++, Python, Go, and other languages
Experience building CI/CD automation for package validation, remediation, release, and repository management workflows
Familiarity with software supply chain security concepts including SBOMs, provenance, signing, and artifact trust
Strong troubleshooting skills across Linux systems, package ecosystems, dependency graphs, and build pipelines
Nice to Have: Experience maintaining or contributing to Linux distributions or open source package ecosystems
Nice to Have: Experience with package build infrastructure such as mock, Koji, OBS, Launchpad, or similar systems
Nice to Have: Experience building minimal, distroless, or hardened container images
Nice to Have: Familiarity with SBOM tooling and standards
Nice to Have: Familiarity with SLSA, reproducible builds, or software supply chain security frameworks
Nice to Have: Contributions to open source infrastructure, Linux packaging, or container ecosystem projects

Benefits & Perks

Healthcare

PTO

Equity participation

About RAPIDFORT

RapidFort is a cloud-native cybersecurity company based in Sunnyvale, California, founded in 2019. It specializes in Software Attack Surface Management (SASM) and has developed a platform that automates the identification, prioritization, and remediation of software vulnerabilities without requiring code changes. This approach significantly reduces the time developers spend on vulnerability and patch management, allowing them to focus on building applications. The RapidFort platform features three main components: DevTime Protection Tools for security during development, Curated Near-Zero CVE Images that are pre-hardened to minimize vulnerabilities, and RunTime Protection Tools for monitoring during production. The platform achieves up to 95% CVE remediation and up to 90% attack surface reduction by removing unused and unreachable components from software. It also provides automated vulnerability management, real-time visibility, and compliance acceleration for standards like FedRAMP and CMMC. RapidFort's solutions are available on AWS Marketplace and Google Cloud Marketplace.

Industry

computer & network security

Employees

110

38 engineers

Revenue

$1M

Website

Visit →

Security at RAPIDFORT

Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.

3 Intel Signals

Security Philosophy

Stated AppSec Mission: Eliminate up to 99.9% of CVEs Continuously without Code Changes.
Developer Enablement vs. Gatekeeping: solve up to 90% of software vulnerabilities automatically without involving developers.
Risk Philosophy: Execution-Aware Security.
Stated Pain Points or Goals: AST tools cannot help dev teams when vulnerabilities exist in OSS code they didn't write.
Smart Shift-Left Security approach.
Gaps & Contradictions: While the company emphasizes 'Smart Shift-Left,' public documentation focuses heavily on automated remediation rather than specific developer training programs..

Security Team

Org Structure & Reporting Line: Information not publicly available. Key Public-Facing Leaders: 1. Mihai Voicu, CISO; 2. Mehran Farimani, CEO; 3. Russ Andersson, COO. Team Size Estimate (as_of:): ~10-15 AppSec professionals based on LinkedIn search. Active AppSec Job Postings (as_of:): 1. Common Skill/Tool Patterns: Familiarity with CVEs, security advisories, SBOMs, vulnerability management, and container hardening. Gaps & Contradictions: Explicit AppSec org reporting lines and internal team hierarchy are not publicly available.

Key Initiatives

Shift Left in Practice: Smart Shift-Left Security. Vulnerability Management Process: Intake via Instrument & Profile (SBOM/RBOM); Triage/Remediation via remediate up to 95% of vulnerabilities without code changes. Secure SDLC Artifacts: Curated Images provide hardened, production-grade base images with Near-Zero CVEs. Recent Initiatives: RapidFort launches Runtime Protection to automatically monitor and secure Kubernetes workloads. Security Champions Program: No Evidence Found. Gaps & Contradictions: No public evidence of a formal Security Champions program or specific remediation SLAs was found.

Preparing for an AppSec interview?

Get the weekly briefing 2,000+ security pros trust.

Interested in this role?

Apply on LinkedIn