[Hiring] Senior Product Security Engineer @Pomelo Care

Role Description

As our first Product Security Engineer , you will sit at the intersection of Security and Software Engineering. Reporting directly to the CISO, you will be a "Security Builder": embedded within our engineering teams with the autonomy needed to build the automation, tools, and workflows that make security a seamless part of the software development lifecycle.

Your work will be centered on three core strategic pillars:

• Secure architecture and auth: Design and implement auth enhancements such as magic link improvements and access/audit log features to monitor access and improve transparency.
• Privacy engineering: Lead privacy engineering initiatives including DSAR integration, building automated data deletion capabilities directly into the Pomelo mobile app and our internal platform to ensure seamless compliance. Help improve privacy-preserving data de-identification and anonymization as needed.
• Full-cycle remediation: Own the end-to-end pentest-to-fix lifecycle. Write the code to fix penetration test findings, remediate SAST issues, and build greenkeeping systems for high-volume dependency patching with regression testing.

Beyond these pillars, you will serve as a high-leverage engineering partner to the broader InfoSec team by:

• Building secure-by-default libraries: Create internal libraries and patterns that make security the default path.
• Threat modeling: Partner with engineering leads to conduct threat modeling and ensure secure design at the earliest stages of the development process.
• Scaling through collaboration: Help engineering squads navigate complex security use cases, translating GRC requirements into elegant code rather than manual checklists.

Qualifications

• 5+ years of software engineering experience with a strong foundation in computer science.
• Track record of shipping production-grade code (Python, Go, Kotlin or similar).
• Understanding of the OWASP Top 10, identity flows, and prompt injections.
• Experience with automation and keeping up with trends in LLM agents.
• Comfortable context-switching and building rapport with different engineering teams.

Requirements

• Experience with Google Cloud Platform (GCP), Github Advanced Security (GHAS), Stytch, Sentry, Fullstory, Statsig or similar technology stack.
• Prior experience in healthcare data, including understanding of HIPAA, SOC 2 Type 2 and HITRUST compliance requirements.
• Experience building data infrastructure that supports AI/ML workloads, internal developer platforms, and privacy-preserving data de-identification and anonymization techniques.
• Previous work in a fast-paced, product-oriented startup environment.

Benefits

• Competitive healthcare benefits.
• Generous equity compensation.
• Unlimited vacation.
• Membership in the First Round Network (a curated and confidential community with events, guides, thousands of Q&A questions, and opportunities for 1-1 mentorship).