[Hiring] Security Analyst, Bug Bounty @Stripe

Role Description

We are seeking a highly technical and detail-oriented Security Analyst to join our team, focusing on the front lines of bug bounty triage and researcher engagement. In this role, you will be responsible for the end-to-end lifecycle of security vulnerability reports from our bug bounty program. You will own the overall effectiveness of Stripe's bug bounty program with autonomy to implement continuous improvements (e.g., researcher campaigns, scoring transparency).

You will play a key role in understanding the root cause of vulnerabilities, coordinating timely resolutions, and directly impacting the security posture of Stripe’s products. A core aspect of this role is developing a deep understanding of Stripe and acquired company products, assets, and their configuration to effectively assess and prioritize vulnerabilities.

Responsibilities

• Analyze, assess, reproduce, and triage incoming security vulnerability reports from the bug bounty program.
• Communicate clearly and effectively with security researchers to follow up on unclear reports, drive report clarity, and increase engagement with top hackers.
• Understand the root cause of security vulnerabilities to help product and engineering teams fix them, and advise on the right mitigation strategies.
• Drive the lifecycle of submissions through to resolution, coordinating with product and engineering stakeholders.
• Act as the security bridge between external researchers and internal teams to facilitate rapid and effective remediation.
• Conduct in-depth data analysis on bug reports and vulnerability patterns to identify systemic risks and inform new security initiatives.
• Provide tactical support for vulnerability management triage processes to augment the team as needed.
• Prepare and implement improvements to the overall bug bounty program.
• Provide feedback and requirements for tool development to enhance triage and security workflows, leveraging opportunities for automation.

Qualifications

• Proven ability to follow bug reports, reproduce, and accurately triage security vulnerabilities.
• Deep familiarity with web security issues, attack vectors, and exploit methodologies (e.g., OWASP Top 10, CWEs, CVEs).
• Competent in offensive security tools to reproduce issues (e.g., Burp Suite, Nuclei, custom scripting).
• Ability to think like an attacker to understand the impact of vulnerabilities.
• Proficient in clear and concise written and verbal communication, with the ability to convey complex technical concepts to both technical and non-technical stakeholders.
• Experience in one of the following areas:
• Direct experience in a bug bounty program or triaging security vulnerability reports.
• Direct, deep knowledge of Stripe products and assets, coupled with strong general security knowledge.

Preferred Qualifications

• Experience in a technical support, operations, or similar role with broad exposure to technical systems and customer/partner communication.
• Prior participation in or experience with bug bounty programs and platforms.
• Experience with analyzing source code to find security vulnerabilities.
• Proficiency in one or more scripting languages (e.g., Python, Ruby) for automation and data analysis.
• Familiarity with cloud-based services and infrastructure (e.g., AWS, GCP, Azure).
• Relevant certifications such as Offensive Security Web Assessor (OSWA) or Burp Suite Certified Professional (BSCP).