Senior Application Security Engineer

Consensys is the leading blockchain and web3 software company. Founded by Joe Lubin, CEO of Consensys and Co-Founder of Ethereum in 2014, Consensys has been at the forefront of innovation, pioneering technological developments within the web3 ecosystem.

The financial system is being rebuilt on open, programmable infrastructure, and Consensys is helping power that transition. From MetaMask, the platform trusted by tens of millions of users worldwide, to Linea, the only 100% proven zkEVM rollup and an emerging home for institutional ETH capital, Consensys builds products and infrastructure that enable users, developers, and institutions to participate in the next generation of the internet.

Our mission is to unlock the collaborative power of communities by making the decentralized web universally easy to access, use, and build on.

Joining Consensys means working with a fully remote, globally distributed team of technologists, designers, cryptographers, product thinkers, and researchers who are building the next layer of the internet. You'll be exposed to new ideas, emerging technologies, and complex challenges that push you to stay at the top of your game while helping scale products and infrastructure used by tens of millions of users and thousands of developers across the web3 ecosystem. You'll join a network of builders that reaches the edge of our ecosystem. Consensys alumni have moved on to become tech entrepreneurs, CEOs, and team leads at tech companies.

About MetaMask

We’re building for a future where the internet and world economy empowers people through interactions based on consent, privacy, and free association. Where both communities and individuals flourish. To accomplish that, we’re working hard to make web3 accessible for everyone around the world.

MetaMask is both a crypto wallet and a gateway to the decentralized web. Our tools help people create communities, play video games, access financial services, make payments, invest in assets, protect against economic turmoil, and more. Our browser extension and mobile platforms meet the needs of millions of users and developers across the world.

Originally a humble key manager, today MetaMask serves over 30 million monthly active users as a decentralized application development platform, an aggregator of decentralized cryptocurrency exchanges, and a decentralized identity manager.

About the Role

MetaMask has experienced explosive user growth over the past year as a cryptographic key manager and web3 application development platform. As this user base continues to grow, an immense amount of trust is being placed in MetaMask as a tool that manages and wields their digital authority, controlling assets, identities and more. It is of highest importance to us that we keep our users as safe and secure as possible.

We are looking for a Senior Application Security Engineer to join our rapidly growing security team to help embed security into all phases of the software development lifecycle. You would work closely with development teams and product managers to ensure MetaMask products are designed and implemented to the highest security standards. Consenys’s application security team primarily supports MetaMask with opportunities to expand to additional products in the Consensys family.

To apply for this position, you must have:

• 6+ years of experience building and securing software, including hands-on product or application security experience.
• Experience securing modern backend systems, web applications, and APIs.
• Experience performing threat modelling, security design reviews, and vulnerability assessment.
• Experience securing JavaScript-based applications across web and/or mobile (Node.js, React, React Native preferred).
• Strong coding skills, with the ability to work directly with engineers to identify and fix vulnerabilities or build secure solutions.
• Solid understanding of the modern web and mobile security landscape, including common attack vectors and mitigations.
• Strong communication skills, with the ability to influence engineering decisions and collaborate effectively in a remote environment.
• Self-driven and proactive, comfortable operating in a high-autonomy, distributed team.
• Alignment with our mission and values.

Timezone: Most timezones will work. Regardless of where you are, some overlap with EU and US-Pacific time zones will be necessary. 

Nice to have:

• Experience working as a software developer.
• Familiarity with the Ethereum blockchain and Decentralized Applications.
• You’re a MetaMask user!

Responsibilities

• Determine the root cause and severity of vulnerabilities reported to us through our bug bounty platform.
• Interface with ethical hackers, triage reports, and guide product engineering teams to resolution.
• Document identified vulnerabilities in a way that allows for our engineering team to take quick action.
• Write code to support the development of security engineering projects, or fix vulnerabilities in MetaMask client applications. This includes the development of AI tooling for vulnerability determination and resolution in order to keep pace with the changing AI-powered vulnerability detection landscape.
• Assess potential security vulnerabilities within our applications, and work with development teams to ensure remediation in our established SLAs.
• Support product teams as they develop new features by conducting design reviews, threat modeling, security testing, and code reviews.
• Identify gaps in MetaMask’s secure software development life cycle (SSDLC), and take initiative leading efforts to address them.
• Participate and contribute to team meetings, roadmap planning, and discussions.
• Validate that security patches address reported vulnerabilities and test for any potential bypasses
• Proactively prevent future occurrences of a vulnerability through developing automation, security controls, and educating developers.
• Pave your own path in how you want to make MetaMask more secure. 

Don't meet all the requirements? Don't sweat it. We’re passionate about building a diverse team of humans and as such, if you think you've got what it takes for our chaotic-but-fun, remote-friendly, start-up environment—apply anyway, detailing your relevant transferable skills in your cover letter. While we have a pretty good idea of what we need, we're ready for you to challenge our thinking on who needs to be in this role.

It is a requirement of employment in this position that applicants will be required to submit to background checks including but not limited to employment, education and criminal record checks. Further details will be provided to applicants that successfully meet the criteria for the position as determined by the company in its sole discretion. By submitting an application for employment, you are acknowledging and consenting to this requirement.