Shopify powers millions of merchants worldwide—which means a large and dynamic attack surface. You'll work at the intersection of external researchers, internal engineering, and AppSec, turning vulnerability reports into clear, actionable findings that protect Shopify and its merchants. This role is equal parts security analysis, operational excellence, and high-quality communication.

Your key areas of ownership are:

Bug bounty report triage quality and timeliness (meet SLOs, keep queues healthy, reduce rework).
Reproducing and validating reported security issues (prove exploitability, confirm impact, confirm affected assets, confirm fixes via retest/validation).
Writing clear, friendly, high-signal communication to external researchers while representing Shopify well.
Maintaining meticulous internal documentation and context so issues can be routed and resolved efficiently.
Using data to quantify performance and program health (queue state, SLOs, throughput, trend reporting).
Partnering with AppSec engineering when a report requires deeper engineering expertise.

You will:

Detect, evaluate, and help address security threats to Shopify and its merchants; develop security controls and protocols; perform security audits; conduct vulnerability assessments and penetration tests; assist in the creation and implementation of security solutions; help mitigate compliance and regulatory risks.
Solve problems quickly and follow (and improve) the team’s playbooks.
Be meticulous in documentation and context capture (so others can pick up work without losing time).
Use data to investigate emerging risks/trends and translate them into repeatable solutions.
Mentor teammates, raise the bar, and become the “go-to” expert in at least one area of the program (triage domain, vulnerability class, product area, tooling/workflows, etc.).

To be successful in this role you will need:

Strong written communication skills.
A track record of fast, high-quality problem solving, with good judgment around impact, severity, and next steps.
Comfort operating in externally-facing workflows with security researchers, representing Shopify professionally and consistently.
Operational discipline: you follow playbooks, improve them when they’re wrong or incomplete, and turn “institutional knowledge” into documentation.
High attention to detail in notes, reproduction steps, evidence, and decision rationale.
A data-informed mindset: you use metrics to quantify your throughput and quality, track trends, and help improve program health over time.
A growth-and-multiplication approach: you mentor teammates, raise the bar, and develop deep expertise in at least one domain (vuln class, product area, triage workflow/tooling).
A strong sense of accountability: you take responsibility for the quality of your interactions and outcomes, and you’re ambitious about improving the security and experience we deliver.

Role-specific experience / capabilities

Strong working knowledge of web application security fundamentals (authn/authz, session management, injection, IDOR, SSRF, XSS, CSRF, access control, multi-tenant risk, etc.).
Demonstrated ability to reproduce vulnerability reports reliably and communicate impact precisely.
Experience doing vulnerability assessment and/or penetration testing (professionally or in a structured program).
Strong judgment on severity/impact assessment and how to ask for additional info when needed.
Comfortable working in operational queues and juggling multiple in-flight investigations without losing quality.

See more open positions at Shopify

Privacy policy Cookie policy

Getro.org is a community-driven initiative to ease the impact of COVID-19 by connecting tech professionals and hiring companies. It's free for job seekers and companies, and curated by a growing list of referral partners.