Senior Security Researcher

About us

TruffleHog is a popular open source tool used by security researchers all over the world to find leaky API keys and responsibly disclose them to affected companies. This provides income through bug bounty platforms like HackerOne to individuals that may otherwise have a hard time finding employment. This also prevents breaches from occurring, which can be very costly for companies to resolve.

When we founded Truffle Security Co. in February of 2021, we committed to continue to grow a community with security researchers around the world, and continue to provide free and open resources to support those that make the world more secure. We have a strong commitment to open source and to the community. We’re looking for help supporting our mission to prevent leaking credentials and build the best products for machine identity protection.

At Truffle, you’ll have the opportunity to join a fully remote, collaborative team contributing to meaningful advancements in cybersecurity.

About the role

In this highly visible, community-focused position, you will spearhead open-source security research projects and share your findings with the broader security community via blog posts, videos, webinars, conference talks, and open-source code contributions. By highlighting real-world security vulnerabilities, you’ll help amplify the Truffle Security brand and inspire organizations to better secure themselves.  

Below are 4 blog posts to give you a sense for our style of research: 

• Anyone can Access Deleted and Private Repository Data on GitHub
• 10% of TLS Certificates Reuse Private Keys (Presented at OWASP Global SF)
• Cracking Open APK Files at Scale
• Millions of Account Vulnerable due to Google's OAuth Flaw (Presented at Shmoocon)

Working closely with our Security Research team lead, you'll have the opportunity to select and run research projects that align with industry trends, emerging threats, product features, and company goals. Your expertise in application security AND one other information security domain will drive the creation of engaging, credible content that resonates with both technical and non-technical audiences. 

What you'll be working on

• Conduct cutting-edge open-source security research in areas broadly related to secrets (application security, cloud security, DevSecOps, etc.)
• Create engaging content to showcase research findings, including blog posts, technical documentation, videos, and whitepapers.
• Present at conferences and industry events to share your discoveries, represent Truffle Security, and build community interest/trust
• Build Proof-of-Concept tools to assist with research and then share them internally with engineering
• Contribute to Truffle Security’s Open-Source Tools when research drives new improvements to TruffleHog or requires a new tool altogether
• Serve as a security subject matter expert for engineering by helping track down the occasional security bug, providing insight on a new product/feature, and knowledge sharing.
• Maintain a positive, respectful, and ethical attitude in all external and internal interactions. There's no room for egos or “gotchas” when dealing with security research.

What we're looking for

• Proven background in security research - Ideally, you have written/presented about security vulnerabilities in the past and can share some of these with us
• Expertise in application security, plus experience in at least one other category: 
  • Cloud Security
  • DevSecOps
  • Data Analytics
  • Blue Team
  • ....Something else? Surprise us!
• Excellent technical writing skills that demonstrate clarity, depth, and accuracy
• History of public speaking on security topics, with the ability to engage and educate technical and non-technical audiences.
• Intermediate programming skills - your code doesn’t need to be production-ready, but you should be highly comfortable prototyping and building proof-of-concept tools.
  • We work primarily in Python and Golang. 
• Familiarity with LLM tools and how to effectively incorporate them into research and programming workflows.
• Strong collaboration abilities - You’re equally good at respectfully asking for help and humbly providing it.
• Ability to juggle multiple long-term research projects - We often run 5 or 6 projects simultaneously without compromising quality or timelines.
• High ethical standards and integrity - We find many security vulnerabilities in our research, and it takes maturity to handle interactions with the organizations we disclose to.
• Attention to Detail - There are many moving parts during research projects, and this role requires patience and extreme attention to detail.

Please note: At this time, we’re hiring in the United States only for this role as this role involves frequent opportunities to present at conferences and collaborate within US time zones.

Salary range: The target salary range for this position is between $156,000 - $184,000. Starting salary will vary based on job-related skills, knowledge, and experience. Leveling will be determined during the interview process. You may also be offered a bonus, stock options, and benefits. These salary ranges are subject to change, and we encourage candidates outside of this salary range to apply. 

How we support our team

• Commitment to building a culture of mentorship, equity, and psychological safety
• Competitive compensation and equity package
• 401(k) with 6% company match
• Flexible paid time off
  • 14 paid holidays, including Thanksgiving and Winter break, and "Truffle Holidays" where the entire company takes a day off
• Medical, dental, and vision coverage
  • 80% Premium coverage for employees & their dependents
• Remote work stipend
  • $800 new hire stipend, and $100/monthly thereafter. We want you to be comfortable working remotely.
• Health & wellness stipend
  
  • $1,200/year. Maintaining your physical, mental, and emotional well-being is foundational to doing your best work
• Learning & development stipend
  • $2,000/year. Adopting a growth-mindset allows you to grow professionally and personally.
• Company off-sites!
  • We’re 100% remote with no office, but won’t let that stop us from working closely together. Past destinations have included Hawaii, Cabo, Chicago, Savannah, and the Rocky Mountains.

We’re looking for folks who are interested in being part of the journey to make the internet more secure. The internet is for all, and we believe that diverse experiences and people from all walks of life can contribute to this mission. That said, if what we’re doing resonates with your values, we’d love to have you apply even if you don’t check all of the boxes or match the job description to a tee.

Truffle strives to promote an equitable, inclusive, and psychologically-safe workplace for all who are interested in working with us. All job applicants will be considered throughout the employment process without regard to race, color, ethnicity, religion, sex, sexual orientation, gender perception/identity, age, pregnancy or parental status, disability status, or any other basis prohibited by law. If you are an individual with disabilities and reasonable accommodation is needed throughout the interview process, or to perform essential job functions, please let your recruiter know.

Lastly, we ask that all applicants consider the opportunity to answer a few voluntary demographic questions on the job application. This helps us track the inclusivity of our recruiting initiatives. Answering these questions is entirely optional and your answers will not be shared with the hiring team and will not impact the hiring decision.

Note: Our organization participates in the US federal E-Verify program. We will provide the Social Security Administration, and if necessary, the Department of Homeland Security, with information from each new employee’s Form I-9 to confirm work authorization. We do not use this information to pre-screen job applicants.