Product Security Engineer

<div class="content-intro"><p><strong data-stringify-type="bold">About Hashgraph:<br></strong></p> <p class="c-mrkdwn__quote" data-stringify-type="quote">Hashgraph is a fast-growing software company committed to supporting, developing and servicing Hedera, an open source, proof-of-stake platform. Hedera is EVM-compatible and has been specifically built to meet the needs of enterprise and web3 applications, which require speed, security, stability and sustainability. Hedera’s public network is governed by industry-leading organizations, spanning 11 sectors and 14 regions who oversee the development and direction of the decentralized platform.</p></div><p><span style="text-decoration: underline;"><strong><span style="font-size: 14pt;">The role:<br></span></strong></span><br>We are hiring a <strong>Product Security Engineer</strong> to embed security into the product development lifecycle and ensure vulnerabilities are found by us before they are found by others. <span style="text-decoration: underline;"><span style="font-size: 14pt;"><br></span></span>Hedera is an enterprise-grade distributed ledger securing billions of transactions for global developer and institutions. As the platform grows with new protocol upgrades, EVM-compatible services, cross-chain infrastructure, and cryptographic primitives, the attack surface grows with it. This role exists to ensure that security is a first-class property of every protocol upgrade, smart contract, and node shipped to production. </p> <h3>In this role, you will:</h3> <ul> <li data-section-id="tkd6el" data-start="1417" data-end="1616">Conduct end-to-end security assessments of blockchain-based systems, from cryptographic primitive design and protocol architecture through smart contract implementation and deployed infrastructure.</li> <li data-section-id="1e5xrcw" data-start="1617" data-end="1761">Find real vulnerabilities through hands-on review, adversarial testing, and proof-of-concept exploit development, not just automated scanning.</li> <li data-section-id="z4i4rd" data-start="1762" data-end="1930">Design adversarial test cases and proof-of-concept exploits for Hedera-native services, EVM-compatible contracts, cross-chain bridges, and consensus-layer components.</li> <li data-section-id="11oosdk" data-start="1931" data-end="2009">Own threat modeling and security architecture reviews across product phases.</li> <li data-section-id="y5vnmz" data-start="2010" data-end="2085">Define and enforce security gates before new components reach production.</li> <li data-section-id="q3s6y3" data-start="2086" data-end="2224">Partner directly with engineering teams to translate cryptographic and protocol-level risks into concrete, prioritized remediation work.</li> <li data-section-id="gv8nui" data-start="2225" data-end="2370">Build and improve security tooling, fuzzing infrastructure, and CI/CD security automation to scale security coverage without scaling headcount.</li> <li data-section-id="1b9k4qf" data-start="2371" data-end="2518">Track emerging blockchain and web3 attack patterns, map them to the internal codebase, and drive proactive mitigation before threats materialize.</li> </ul> <h2><span style="font-size: 12pt;"><strong>What success looks like in 6-12 months:</strong></span></h2> <ul> <li data-section-id="1esxlz9" data-start="2569" data-end="2681">Security review processes are integrated across major product development workflows, not bolted on at the end.</li> <li data-section-id="q9otnh" data-start="2682" data-end="2788">Security tooling and automated checks are running inside CI/CD pipelines, reducing manual review burden.</li> <li data-section-id="tdqyub" data-start="2789" data-end="2898">The vulnerability backlog is prioritized and actively shrinking through structured developer collaboration.</li> <li data-section-id="1ijmvfw" data-start="2899" data-end="3022">Engineering teams have meaningfully improved their working knowledge of web3 attack patterns and secure coding practices.</li> </ul> <h2><span style="text-decoration: underline;"><span style="font-size: 14pt;"><strong>What you bring:</strong></span></span></h2> <p><strong><span style="font-size: 12pt;">Core capabilities:</span></strong></p> <ul> <li data-section-id="1jls22e" data-start="3066" data-end="3184">Hands-on vulnerability discovery and security testing across blockchain protocols, smart contracts, nodes, and APIs.</li> <li data-section-id="lovsok" data-start="3185" data-end="3258">A track record of catching real bugs, not just running automated scans.</li> <li data-section-id="acvwja" data-start="3259" data-end="3373">Strong threat modeling and security architecture review experience applied to distributed cryptographic systems.</li> <li data-section-id="1dfy58o" data-start="3374" data-end="3511">Experience assessing cross-chain protocols, threshold signature schemes, or other cryptographic systems with complex trust assumptions.</li> <li data-section-id="1ws6vg4" data-start="3512" data-end="3665">Deep working knowledge of applied cryptography, including BLS signatures, pairing-based schemes, polynomial commitments, and Fiat-Shamir constructions.</li> <li data-section-id="si09yk" data-start="3666" data-end="3763">Ability to reason about cryptographic failure modes and how they show up in production systems.</li> <li data-section-id="azkha2" data-start="3764" data-end="3826">Direct experience auditing or breaking a cross-chain bridge.</li> <li data-section-id="ise9gl" data-start="3827" data-end="3985">Ability to reason through trust model tradeoffs, including state proof, multisig, and oracle attestation models, and what each means for the attack surface.</li> </ul> <p><strong><span style="font-size: 12pt;">Functional expertise:</span></strong></p> <ul> <li data-section-id="1yu5jd7" data-start="4013" data-end="4104">Blockchain security and secure coding practices across EVM-compatible and non-EVM chains.</li> <li data-section-id="1a5feta" data-start="4105" data-end="4190">Security testing tooling, including static analysis, dynamic analysis, and fuzzing.</li> <li data-section-id="vixyg5" data-start="4191" data-end="4272">Experience developing custom fuzzing harnesses or security test infrastructure.</li> <li data-section-id="12btkx2" data-start="4273" data-end="4337">Ability to read and audit Rust and/or Java cryptographic code.</li> <li data-section-id="nzckbf" data-start="4338" data-end="4453">Understanding of memory safety, constant-time correctness, secret handling, and security risks at JNI boundaries.</li> </ul> <p><strong><span style="font-size: 12pt;">Nice to haves:</span></strong></p> <ul data-start="4473" data-end="4929"> <li data-section-id="1h25e65" data-start="4473" data-end="4594">Experience designing and operating grammar-aware fuzzing campaigns against gRPC, JSON-RPC, or protocol-level endpoints.</li> <li data-section-id="zdzp7a" data-start="4595" data-end="4680">Experience building classifier pipelines to distinguish security signal from noise.</li> <li data-section-id="1x218mb" data-start="4681" data-end="4732">Prior work on Ethereum consensus client security.</li> <li data-section-id="1hg5aae" data-start="4733" data-end="4788">Prior work on production threshold signature systems.</li> <li data-section-id="13u3v0f" data-start="4789" data-end="4839">Experience building security automation tooling.</li> <li data-section-id="i532bz" data-start="4840" data-end="4929">Experience integrating AI-assisted workflows into security review and triage processes.</li> </ul>