About the role:

MoonPay's Product Security team is a dynamic blend of proactive defenders and inquisitive problem-solvers, dedicated to strengthening systems through rigorous security reviews and hands-on penetration testing. As a Product Security Engineer, you will embed security best practices throughout the SDLC, manage the Bug Bounty program, research emerging threats, and help spread a secure-by-design culture across the organisation.

Responsibilities:

📍Conduct threat modelling reviews of Technical Design Documents (TDDs) for new and existing features, providing clear, actionable security recommendations early in the design process. 📍Perform and support application security assessments, including penetration testing, vulnerability assessments, and proof-of-concept (PoC) development where appropriate. 📍Investigate, triage, and respond to Bug Bounty program submissions, validating findings and working with engineering teams to drive timely remediation. 📍Own and continuously improve application-layer protections, including managing and tuning Cloudflare WAF and related security controls. 📍Partner closely with engineering teams to embed security best practices throughout the SDLC, from design and development through deployment and maintenance. 📍Research and track emerging threats and vulnerabilities, translating findings into practical mitigation strategies relevant to our technology stack. 📍Develop and deliver security guidance, training, and awareness for engineering teams to raise the overall security maturity of the organization. 📍Contribute to the creation, maintenance, and evolution of security standards, processes, and documentation. 📍Participate in and eventually lead incident response activities, supporting investigation, containment, remediation, and post-incident improvements.

Requirements:

📍Breadth of experience across multiple security domains, including web and mobile application security, infrastructure and cloud security. 📍Hands-on experience performing white-box, source code-assisted web and mobile application penetration testing, from vulnerability discovery through triage and exploitation. 📍Ability to read, understand, and review source code to identify security issues, with a particular focus on JavaScript and TypeScript codebases. 📍Strong understanding of Threat Modelling principles and their practical application to the secure SDLC. 📍Experience working with web application firewalls to help protect applications, assess coverage, and support tuning rules to mitigate common attack patterns. 📍Experience embedding application security practices into CI/CD pipelines, enabling early detection of vulnerabilities and close collaboration with engineering teams. 📍Demonstrated ability to clearly communicate security findings, explain vulnerabilities, attack paths, and mitigations to both technical and non-technical audiences. 📍Self-motivated, proactive, and takes strong ownership of work, operating effectively in a remote environment while maintaining a collaborative, team-focused mindset.

Nice-to-have: 📍Experience in JavaScript and TypeScript, including the ability to read, understand, and reason about modern web application codebases. 📍Experience working with Cloudflare, including its hosting and Web Application Firewall (WAF) capabilities. 📍Experience testing and securing GraphQL and REST APIs, including understanding common attack vectors and security considerations. 📍Experience or a strong interest in Web3 security testing, including assessing smart contracts, blockchain-based applications, or Web3 integrations. 📍Interest in agentic engineering, including emerging patterns in autonomous systems, tooling, or workflows, and their security implications. 📍Contributions to the security community through open source involvement, CTFs, or speaking at information security meetups and conferences. 📍Background working with disruptive technologies within FinTech, SaaS, or Crypto. 📍One or more security relevant certifications such as OSCP or OSWE.

If this role isn't the perfect fit, there are plenty of exciting opportunities in blockchain technology, cryptocurrency startups, and remote crypto jobs to explore. Check them on our Jobs Board.