Startale GroupRemote
Product Security Engineer
United States of America
Full Time
3 hours ago
Visa Sponsor
Key skills
Application securityPenetration testingProduct securityExchange securityTrading platform securityDecentralized exchange (DEX)DeFi protocol securityOrder book mechanicsTransaction flowsWallet securityScriptingVulnerability triageRemediation guidanceCloud infrastructure securityContainer securityTypeScriptJavaScriptSolidityRustSoftware supply chain securityBug bounty program managementAI/LLM tooling securityAIDeFiCommunicationPenetration TestingNetwork Security
About this role
Startale Group is a startup focused on securing products within its ecosystem, including a decentralized exchange and a stablecoin. The role involves hands-on security testing, threat modeling, and vulnerability management to ensure the safety of user funds and transactions.
Responsibilities:
- Conduct hands-on security testing of our applications, APIs, and infrastructure
- Simulate real attack scenarios against our products
- Find the vulnerabilities before external attackers or whitehat researchers do
- Work with engineers to fix issues pragmatically
- Build threat models for new services and features — especially Strium's trading engine, order book, and transaction flows
- Identify attack surfaces, model adversary behavior, and define what needs to be hardened before launch
- Own the end-to-end lifecycle of findings — from discovery through severity assessment, developer-facing write-ups, remediation guidance, and verification of fixes
- Coordinate with engineers so issues actually get closed
- Manage incoming whitehat reports, validate findings by reproducing them, assess severity, communicate with researchers
- Assess technical risks related to AI tools used within teams, maintain security baselines for AI coding tools and review AI-powered internal tools
Requirements:
- 5+ years of hands-on experience with a focus on application security, penetration testing, or product security
- Demonstrated ability to find vulnerabilities — through manual testing, architecture and/or code review, or creative attack simulation. You should be able to describe specific bugs you've found and how you found them
- Practical experience with exchange or trading platform security — from a DEX (preferred) or DeFi protocol. You should understand order book mechanics, transaction flows, wallet security, and the threat landscape specific to trading infrastructure
- Scripting and automation ability — you write tools and automate to scale security across the stack, not just audit and write reports
- Experience triaging vulnerabilities and writing clear, actionable remediation guidance for developers
- Strong written communication in English — you'll write tickets, assessment reports and researcher responses
- Experience with cloud infrastructure security — least-privilege enforcement, network security, secrets management
- Experience with container security — network policies, RBAC, pod security standards, image scanning, Dockerfile hardening, base image management
- Ability to read and review code in at least one of: TypeScript/JavaScript, Solidity, Rust
- Understanding of software supply chain security, including dependency risks, build integrity, and methods for tracking what components are included in shipped software
- Experience managing or participating in a bug bounty program (e.g. Immunefi, HackerOne)