Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Vulnerability Research Engineer

GitLab is building a research team that will focus on improving GitLab’s security detection capabilities, including SAST/DAST and future products. For more information about our security products, please review: and

This team will work closely with the GitLab Security, Development, and Product teams to build, tune and improve the efficacy of GitLab’s of security products that are integrated into GitLab.

Vulnerability Research Engineers are responsible for performing deep assessments of software and web application vulnerabilities, tracking exploit code releases and exploitation activities, and the creation of detailed and actionable reports in support of our global commercial and government customers.

Job Grade

The Vulnerability Research Engineer is a grade 6.


  • Dedicate all bandwidth to dogfooding and contributing directly to the Secure and Protect products
  • Curate an advisory database/dependency scanning database. This is a semi-automatic task that includes auditing/reviewing, editing existing and adding new advisories to the database while, at the same time, trying to automate repetitive tasks away as much as possible.
  • Build/develop benchmarks to test the efficacy of scanning and detection products
  • Measure and Improve the efficacy of scanning and detection products over time
  • Conduct code review of Ruby and Go backend code
  • Build/develop/improve solutions in the area of static and dynamic analysis
  • Write detailed technical reports
  • Assess security product output results and conduct root cause analysis to improve efficacy
  • Respond to internal and external customer inquiries on vulnerabilities and related topics
  • This is NOT a Security Operations or Application Security position


  • 2+ years of direct experience in developing and improving vulnerability detection products in the context of web security
  • Knowledge of software composition analysis
  • Knowledge about compilers/compiler construction
  • Experience with source code analysis, static application security testing (SAST), and dynamic application security testing (DAST)
  • Knowledge about benchmarking for testing the efficacy of scanning and detection products
  • Experience developing automated web security testing tools
  • Experience completing code reviews of Ruby and Go backend code
  • Experience in product development
  • You have a passion for security and open source
  • You are a team player, and enjoy collaborating with cross-functional teams
  • You are a great communicator (written and verbal)
  • You employ a flexible and constructive approach when solving problems
  • Our values of collaboration, results, efficiency, diversity, iteration, and transparency resonate with you

Nice to haves

  • Experience with abstract interpretation/ reverse-engineering
  • Experience with binary analysis


Senior Vulnerability Research Engineer

Job Grade

The Senior Vulnerability Research Engineer is a grade 7.


  • Leverages security expertise in at least one specialty area
  • Triages and handles/escalates security issues independently
  • Conduct security product output reviews and makes recommendations
  • Great written and verbal communication skills
  • Screen security candidates during hiring process

A Senior Vulnerability Research Engineer may want to pursue the vulnerability security management track at this point. See Engineering Career Development for more detail.

Staff Vulnerability Research Engineer

The Staff Vulnerability Research Engineer role extends the Senior Vulnerability Research Engineer role.

Job Grade

The Staff Vulnerability Research Engineer is a grade 8.


  • Recognized security expert in multiple specialty areas, with cross-functional team experience
  • Make security product decisions
  • Provide actionable and constructive feedback to cross-functional teams
  • Implement security technical and process improvements
  • Exquisite written and verbal communication skills
  • Author technical security documents
  • Author questions/processes for hiring and screening candidates
  • Write public blog posts and represent GitLab as a speaker at security conferences

Career Ladder

For more details on the engineering career ladders, please review the engineering career development handbook page.

Hiring Process

Candidates for this position can expect the hiring process to follow the order below. Please keep in mind that candidates can be declined from the position at any stage of the process. To learn more about someone who may be conducting the interview, find their job title on our team page.

  • Selected candidates will be invited to schedule a 30 minute screening call with our Recruiting team
  • Next, candidates will be invited to schedule an interview with the Vulnerability Research Manager
  • Candidates will then be invited to schedule interviews with peer Researchers

As always, the interviews and screening call will be conducted via a video call. See more details about our hiring process on the hiring handbook.

About GitLab

GitLab Inc. is a company based on the GitLab open-source project. GitLab is a community project to which over 2,200 people worldwide have contributed. We are an active participant in this community, trying to serve its needs and lead by example. We have one vision: everyone can contribute to all digital content, and our mission is to change all creative work from read-only to read-write so that everyone can contribute.

We value results, transparency, sharing, freedom, efficiency, self-learning, frugality, collaboration, directness, kindness, diversity, inclusion and belonging, boring solutions, and quirkiness. If these values match your personality, work ethic, and personal goals, we encourage you to visit our primer to learn more. Open source is our culture, our way of life, our story, and what makes us truly unique.

Top 10 reasons to work for GitLab:

  1. Work with helpful, kind, motivated, and talented people.
  2. Work remote so you have no commute and are free to travel and move.
  3. Have flexible work hours so you are there for other people and free to plan the day how you like.
  4. Everyone works remote, but you don't feel remote. We don't have a head office, so you're not in a satellite office.
  5. Work on open source software so you can interact with a large community and can show your work.
  6. Work on a product you use every day: we drink our own wine.
  7. Work on a product used by lots of people that care about what you do.
  8. As a company we contribute more than we take, most of our work is released as the open source GitLab CE.
  9. Focused on results, not on long hours, so that you can have a life and don't burn out.
  10. Open internal processes: know what you're getting in to and be assured we're thoughtful and effective.

See our culture page for more!

Work remotely from anywhere in the world. Curious to see what that looks like? Check out our remote manifesto and guides.

Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license