The role:

We are hiring a Product Security Engineer to embed security into the product development lifecycle and ensure vulnerabilities are found by us before they are found by others.
Hedera is an enterprise-grade distributed ledger securing billions of transactions for global developer and institutions. As the platform grows with new protocol upgrades, EVM-compatible services, cross-chain infrastructure, and cryptographic primitives, the attack surface grows with it. This role exists to ensure that security is a first-class property of every protocol upgrade, smart contract, and node shipped to production.

In this role, you will:

• Conduct end-to-end security assessments of blockchain-based systems, from cryptographic primitive design and protocol architecture through smart contract implementation and deployed infrastructure.
• Find real vulnerabilities through hands-on review, adversarial testing, and proof-of-concept exploit development, not just automated scanning.
• Design adversarial test cases and proof-of-concept exploits for Hedera-native services, EVM-compatible contracts, cross-chain bridges, and consensus-layer components.
• Own threat modeling and security architecture reviews across product phases.
• Define and enforce security gates before new components reach production.
• Partner directly with engineering teams to translate cryptographic and protocol-level risks into concrete, prioritized remediation work.
• Build and improve security tooling, fuzzing infrastructure, and CI/CD security automation to scale security coverage without scaling headcount.
• Track emerging blockchain and web3 attack patterns, map them to the internal codebase, and drive proactive mitigation before threats materialize.

What success looks like in 6-12 months:

• Security review processes are integrated across major product development workflows, not bolted on at the end.
• Security tooling and automated checks are running inside CI/CD pipelines, reducing manual review burden.
• The vulnerability backlog is prioritized and actively shrinking through structured developer collaboration.
• Engineering teams have meaningfully improved their working knowledge of web3 attack patterns and secure coding practices.

What you bring:

Core capabilities:

• Hands-on vulnerability discovery and security testing across blockchain protocols, smart contracts, nodes, and APIs.
• A track record of catching real bugs, not just running automated scans.
• Strong threat modeling and security architecture review experience applied to distributed cryptographic systems.
• Experience assessing cross-chain protocols, threshold signature schemes, or other cryptographic systems with complex trust assumptions.
• Deep working knowledge of applied cryptography, including BLS signatures, pairing-based schemes, polynomial commitments, and Fiat-Shamir constructions.
• Ability to reason about cryptographic failure modes and how they show up in production systems.
• Direct experience auditing or breaking a cross-chain bridge.
• Ability to reason through trust model tradeoffs, including state proof, multisig, and oracle attestation models, and what each means for the attack surface.

Functional expertise:

• Blockchain security and secure coding practices across EVM-compatible and non-EVM chains.
• Security testing tooling, including static analysis, dynamic analysis, and fuzzing.
• Experience developing custom fuzzing harnesses or security test infrastructure.
• Ability to read and audit Rust and/or Java cryptographic code.
• Understanding of memory safety, constant-time correctness, secret handling, and security risks at JNI boundaries.

Nice to haves:

• Experience designing and operating grammar-aware fuzzing campaigns against gRPC, JSON-RPC, or protocol-level endpoints.
• Experience building classifier pipelines to distinguish security signal from noise.
• Prior work on Ethereum consensus client security.
• Prior work on production threshold signature systems.
• Experience building security automation tooling.
• Experience integrating AI-assisted workflows into security review and triage processes.