Senior Security Research Engineer

Jobs Senior Security Research Engineer Senior Security Research Engineer WP Cloud powers WordPress at scale, and security is a critical part of that foundation. We're expanding our security team to support WP Cloud, while also contributing to the protection and intelligence provided by WPScan and Jetpack Protect . As a Security Researcher, you will analyze vulnerable and malicious code, track emerging threats, and help build the tools and processes that detect, prevent, and remediate malware and other security issues across the WordPress ecosystem. If you have a knack for solving puzzles and a passion for documenting and operationalizing solutions, this is a great opportunity to make a broad impact. The Senior Security Engineer position might be a good fit if you: Enjoy securing and protecting websites and applications. Have at least 3 years of experience as a security researcher, or equivalent experience investigating vulnerabilities, malware, or other threats. Understand threat models, security threats, vulnerabilities, and common attack vectors such as XSS, injection, hijacking, social engineering, and so on, along with how to mitigate them. Have experience with PHP and some exposure to software engineering. Are highly collaborative, and love participating in code reviews and discussions about architecture or design. Have a strong ability to use AI tools effectively to accelerate your work, improve analysis, and enhance the quality of your solutions. Are open, and able, to travel 2-3 weeks per year to meet up with your teammates in person.

Extra Credit:

Experience with penetration testing and associated tools. Previous experience with malware detection systems. Reported vulnerabilities in the past. Know your way around WordPress and its file and database structures. Have experience writing and debugging WordPress plugins and themes. Speaking of interests and skills, here are some areas in which you can grow and have further impact in the future at the company: Leadership

• we offer a variety of leadership options to those who have an interest, including becoming a team lead and managing releases. Learning and development
• we have a generous personal development budget and encourage you to grow your skills through courses, books, and conferences. Architecture
• we encourage developers to build expertise in the systems they work with, guide their evolution, and mentor other developers working on them. Engineering effectiveness
• we believe in helping other developers become more effective through tools, practices, cross-team collaborations, and process Compensation and Benefits Salary range: $70,000
• 170,000 USD.

Please note that salary ranges are global, regardless of location, and we pay in local currency. We are searching for high-caliber candidates with the skills and qualities to have a net positive for Automattic. Pay will reflect the potential contribution and the impact you can bring, which may, in some cases, go beyond the range stated. This isn't your typical work-from-home job—we are a fully-remote company with an open vacation policy. Read more about our compensation philosophy. To see a full list of benefits by country, consult our Benefits Page . And check out these links to learn more about How We Hire and What We Expect from Ourselves . #LI-Remote About Automattic Now in our 20th year , we're the people behind WordPress.com , WooCommerce , Beeper , Tumblr , Simplenote , Jetpack , Longreads , Day One , PocketCasts , and more. We believe in making the web a better place. We're a distributed company with more than 1500 Automatticians in nearly every corner of the globe, speaking over a hundred different languages. Enriched by this diversity, we're united by a singular mission: to democratize publishing, commerce, and messaging so anyone with a story can tell it, anyone with a product can sell it, and everyone can manage their communications from a single source. In short, we help maintain a balance in society, creating and continually refining powerful tools people can use to compete fairly—regardless of income, gender, politics, language, or where they live in the world. We believe in Open Source , and the vast majority of our work is available under the GPL . Automattic is a Most Loved Company , an Equal Opportunity employer, and Disability Confident Committed . ( Here's what that might mean for you .) If you need disability-related accommodations during the application or interview process, please fill out this form . We are committed to ensuring an accessible hiring process for all candidates. Learn more about our Employee Resource Groups . You can track your application status and more at MyGreenhouse . To learn about how we handle your data, please review our Privacy Policy . All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran. View the "

Know Your Rights:

Workplace Discrimination is Illegal" poster here . Automattic participates in the E-Verify program in certain locations, as required by law . Job Details 1 Open position Category Engineering Team/Product Automattic Apply Now First Name

• Last Name
• Preferred First Name Email
• Phone
• Location
• Type your state/country... Resume/CV (File types: pdf, doc, docx, txt, rtf) Let us know more about you. Cover Letter (File types: pdf, doc, docx, txt, rtf) Do you have hands-on experience researching, triaging, or disclosing security vulnerabilities specifically within the WordPress ecosystem (plugins, themes, or core)?
• Please select Yes No Please select Describe a security vulnerability or piece of malware you analysed in PHP code. What was it, how did you identify it, and what made it interesting or difficult to assess?
• How are you currently using AI in your security research work? Give us a specific example of something you built, automated, or improved using AI tooling.
• Automattic is fully distributed and async-first. Walk us through how you manage your work when you're operating without a manager or peer available — how do you prioritise, communicate, and stay unblocked?
• Tell us about a time you had to make a judgment call on whether something was a real security vulnerability when the answer wasn't obvious. What was the context, what did you weigh up, and were you right?
• How did you hear about this role?
• Please select Automattic Employee (please specify below) Recruiter WordPress User I saw this job on LinkedIn WordCamp Tumblr HTTP Header/X-hacker PowerToFly StackOverflow Glassdoor Google TikTok/YouTube video Other Please select If you selected "Automattic Employee" or "Other" above, can you tell us more?

Do you have a LinkedIn profile? If so, please provide a link. Have you reviewed the compensation details (salary range) provided in the job description above?

• Read more about our compensation philosophy here. Please select Yes No Please select Please indicate your salary expectation for this role.
• Voluntary Self-Identification For government reporting purposes, we ask candidates to respond to the below self-identification survey.

Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file. As set forth in Automattic's Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law. Race Please select Decline To Self Identify Two or More Races Native Hawaiian or Other Pacific Islander White Hispanic or Latino Black or African American Asian American Indian or Alaskan Native Please select Gender Please select Decline To Self Identify Female Male Please select If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans' Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows: A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability. A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service. An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense. An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985. Veteran Status Please select I don't wish to answer I identify as one or more of the classifications of a protected veteran I am not a protected veteran Please select Voluntary Self-Identification of Disability Form CC-305 Page 1 of 1 OMB Control Number 1250-0005 Expires 04/30/2026 Why are you being asked to complete this form? We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years. Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp . How do you know if you have a disability? A disability is a condition that substantially limits one or more of your "major life activities." If you have or have ever had such a condition, you are a person with a disability.