Security Engineer – Bug Bounty

About This Role

Responsibilities

• Own day-to-day operations of the bug bounty program on the managed platform, including report triage, severity assessment, researcher communication, and payout decisions — maintaining SLA compliance across all inbound volume
• Reproduce and technically validate submitted vulnerabilities across web, API, mobile, and trading infrastructure attack surfaces — reason independently about exploitability in context, not just what the report claims
• Classify findings using CVSS, OWASP, and business impact criteria; distinguish genuine risk from theoretical severity; escalate critical issues into incident response workflows with enough context for engineering leadership to act immediately
• Act as a remediation partner, not just a reporter — work directly with developers to clarify findings, provide exploit context, reproduce issues where needed, and give fix guidance grounded in how the vulnerability actually works; track what slows remediation and fix it
• Identify recurring vulnerability classes across inbound reports and feed patterns back into AppSec initiatives — SAST rule tuning, developer training, design review checklists — closing the loop from external discovery to internal prevention
• Maintain program scope, out-of-scope guidance, and rules of engagement; adjust based on surface area changes, new products, and program maturity signals
• Coordinate with legal, compliance, and communications on responsible disclosure edge cases, researcher disputes, and public disclosure timelines
• Produce monthly and quarterly program metrics for security leadership — coverage, triage velocity, remediation cycle times, finding trends — with enough analytical depth to drive program decisions
• Evaluate attack surface expansions — new APIs, products, acquisitions — for readiness to enter program scope

Requirements

• 2–5 years in application security, penetration testing, bug bounty operations, or a security engineering role with hands-on validation focus
• Strong foundational knowledge of how web application vulnerabilities work at a technical level — SSRF, IDOR, auth bypass, injection classes, business logic flaws, API authorization failures, OAuth misconfigurations — not just awareness of their names
• Ability to read a researcher report and independently reason about exploitability in the specific context of the application — understand trust boundaries, data flow, and what an attacker would actually need to trigger the finding
• Experience operating a bug bounty or vulnerability disclosure program on a managed platform — Bugcrowd, HackerOne, or equivalent — with ownership of triage decisions and researcher communication
• Strong written communication under pressure — you will be writing triage decisions to elite researchers and remediation guidance to developers simultaneously; both audiences require clarity and credibility
• Familiarity with REST and GraphQL API security, OAuth 2.0 flows, session management, and web application architecture at the level needed to validate findings without relying on the researcher's reproduction steps alone
• Ability to work cross-functionally with engineering teams — translate security findings into actionable, developer-friendly guidance that engineers will actually implement rather than defer
• Nice to have: Active bug bounty participation as a researcher
• Nice to have: Development background
• Nice to have: Experience in financial services or a similarly regulated environment
• Nice to have: Scripting ability in Python or Bash
• Nice to have: Familiarity with DAST tooling (Burp Suite Pro, Nuclei, ZAP)

Benefits & Perks

About Interactive Brokers

Interactive Brokers Group, Inc. (IBKR) is a prominent global electronic brokerage firm founded by Thomas Peterffy. Established in 1993, the company provides automated direct-access trade execution and clearing services to sophisticated individual investors, hedge funds, proprietary trading groups, financial advisors, and introducing brokers in over 200 countries. Headquartered in Greenwich, Connecticut, IBKR has a strong focus on technology-driven efficiency and broad market access. IBKR offers a wide range of investment products and tools through a single integrated platform. Clients can access equities, options, futures, forex, bonds, mutual funds, ETFs, and cryptocurrencies. The firm provides various account types and features, including the Trader Workstation (TWS), mobile trading app, and risk management tools. With a commitment to low costs and superior execution, IBKR aims to help clients achieve optimal returns. As of December 2025, the company reported over 4.3 million client accounts and significant growth in client equity.