Offensive Security Engineer - Web3 Assessments
Description:
Are you ready to challenge your limits and make a significant impact in the world of cryptocurrency?
At Coinbase, we are driven by our mission to enhance economic freedom globally. This ambitious vision requires each of us to bring our best selves every day as we work to develop the future of the financial system through our on-chain platform.
We are looking for a specific type of candidate—someone passionate about our mission who recognizes the potential of crypto and blockchain to transform finance. If you desire to create a lasting legacy, thrive under challenging conditions, and actively seek valuable feedback to accelerate your growth, we want you on our team. We value individuals who tackle complex problems head-on.
Our work culture is fast-paced and intense. If you are excited about the possibility of building the future with exceptional colleagues who challenge you to excel, you’ve found the right place.
While many roles at Coinbase offer remote-first options, we encourage in-person participation regularly, with team and company-wide offsites occurring multiple times a year to strengthen collaboration and connection. Attendance is both expected and fully supported.
The Application Security organization at Coinbase is on the lookout for an experienced Offensive Security Engineer who specializes in Web3 penetration testing and bug bounty program management. In this position, you will work alongside the Bug Bounty Program Lead to oversee Web3 bug bounty triage, validation, and strategic initiatives designed to enhance program efficiency, maturity, and hacker engagement. Collaborating closely with whitehat hackers, security engineers, and cross-functional teams, you will play a key role in strengthening Coinbase's security posture through a robust bug bounty program. You will also conduct penetration tests on Web3 technologies and applications, ensuring the safety of Coinbase's blockchain-based products and services.
Key Responsibilities:
Perform security assessments on Web3 products, including smart contracts, DeFi protocols, and blockchain infrastructure.
Work with partner teams to enhance detection and response strategies for Web3 vulnerabilities.
Keep abreast of emerging security trends, advisories, and academic research in the Web3 domain.
Lead the triage and validation process for the Web3 bug bounty program, ensuring timely and accurate assessments of vulnerabilities.
Devise and execute strategies to motivate high-quality bug bounty submissions and engage deeply with the hacker community.
Oversee the Web3 bug bounty program, including scope updates, researcher communication, and disbursement of rewards.
Analyze bug bounty data to uncover trends, common vulnerabilities, and opportunities for enhancement.
Collaborate with engineering teams to prioritize and remediate vulnerabilities identified through the bug bounty program.
Mentor and guide junior security engineers in bug bounty triage and analysis.
Provide on-call support for critical incidents related to the Web3 bug bounty program.
Document and report on key bug bounty metrics and the effectiveness of the program.
Qualifications:
Bachelor's or Master's degree in Computer Science, Cybersecurity, Software Engineering, or a related field.
At least 3 years of experience in Web3 application security and penetration testing.
Proven experience identifying critical vulnerabilities across the blockchain protocol stack and Web2/Web3 components.
In-depth knowledge of the blockchain ecosystem, including Layer 1/Layer 2 networks, DeFi protocols, and staking mechanisms.
Solid understanding of Web2 security principles and common vulnerabilities (e.g., OWASP Top 10, SANS Top 25).
Excellent analytical skills for spotting trends and patterns in vulnerabilities.
Strong communication skills for effective engagement with internal teams.
A genuine passion for security and a commitment to advancing Web3's security posture.
Ability to work autonomously and take ownership of penetration testing projects.
Motivation for continuous learning in the fast-evolving crypto landscape.
Ability to communicate effectively and kindly with both technical and non-technical stakeholders.
Experience in building collaborative relationships with product, engineering, and security teams.
Preferred Qualifications:
Participation in Capture The Flag (CTF) competitions, bug bounty programs, or open-source security research.
Expertise in Application Security, Network Security, or Cloud Security.
Relevant security certifications (e.g., OSCP, GPEN).
Experience in developing and implementing security tools for bug bounty triage and assessment.
Familiarity with bug bounty programs and platforms, including researcher communication and validation.
Strong analytical capabilities to identify trends in bug bounty submissions.
Excellent communication skills to engage effectively with bug bounty researchers.
Position ID: P69494
Pay Transparency Notice: Depending on your work location, the target annual *base *salary for this position can range from $152,405 to $179,300 USD. Full-time offers from Coinbase include bonus eligibility, equity eligibility, and a comprehensive benefits package (medical, dental, vision, and 401(k)).
Note: Each candidate may submit a maximum of four applications within any 30-day period. We encourage applicants to align their skills and interests with Coinbase’s available roles before applying.
Commitment to Equal Opportunity: Coinbase is proud to be an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, creed, gender, national origin, age, disability, veteran status, sex, gender expression or identity, sexual orientation, or any other protected characteristic. Coinbase will also consider qualified applicants with criminal histories in accordance with applicable laws.
Coinbase is committed to providing reasonable accommodations to individuals with disabilities. If you require an accommodation during the employment process, please contact us to inform us of your request and provide your contact information.
Global Data Privacy Notice for Job Candidates and Applicants: Depending on your location, the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) may govern our management of job applicants' data. Our full privacy notice outlines how your data will be processed during the application process.
AI Disclosure: For select roles, Coinbase is conducting a pilot using an AI tool for initial screening interviews for qualified applicants. This tool simulates realistic interview scenarios and engages in dynamic conversations. A human recruiter will review your responses to assess them against job qualifications.
This pilot is for testing purposes only, and Coinbase will not use AI to make employment decisions. If you need a reasonable accommodation due to a disability, please contact us.