Career Opportunity - Web vulnerability researcher

Background

Based in Cheshire in the United Kingdom, PortSwigger is a global leader in the cybersecurity sector. Our cutting-edge software is used by over 70,000 customers in 150 countries to help them secure their web applications. Our educational and research output is used by millions of people globally to learn about web security.

Our dedicated research team, led by James Kettle, has a track record of pioneering original research into new vulnerability classes and new takes on old bugs, including web cache poisoning, server-side template injection, HTTP request smuggling, CORS misconfigurations, and AngularJS injection.

We would now like to expand the capabilities of our research team with additional expertise in web security vulnerabilities and ways of testing for them.

Role details: Web vulnerability researcher

Timeframe: Permanent position.

Location: Knutsford, Cheshire, United Kingdom.

We are minutes from the M6, and easily commutable from Manchester, Stockport, Wilmslow, Warrington, Chester, Crewe, Macclesfield, and Northwich.

Salary: We pay excellent salaries above the normal market level, and this is always determined based on your individual skills and contribution.

Holidays: 25 days plus public holidays.

Discover why we work better together

Benefits: Share options, 8% employer pension contribution.

Life assurance: 4x salary.

Income protection: full pay for first 6 months of incapacity followed by 75% of salary plus pension contribution.

Private medical insurance (Bupa).

Working hours: Core hours are 9am to 5pm, with flexibility to start any time between 8am and 9.30am.

Apply, or ask any questions

About you

First and foremost, you're a hacker. You love playing with systems, and breaking them.

You've found your niche in web security: understanding the wealth of vulnerabilities that are out there, how to find them, and how to exploit them.

As a seasoned penetration tester, you've encountered pretty much every kind of web security bug there is. You enjoy telling war stories about the crazy bugs that you've found.

You thrive on sharing your knowledge and helping others to learn. You relish the idea of reaching a global audience and teaching them how to hack the web.

Any of the following get you excited:

Quirky variations on common vulnerabilities that make them harder to find or exploit.
Chaining together low-risk vulnerabilities to enable a more serious attack.
Devising ways to automate tasks that are normally done manually.
Finding loopholes in input validation or other defenses that most testers give up on.
Using out-of-band techniques to detect invisible vulnerabilities.
Spotting overlooked wrinkles in well-worn topics that uncover new possibilities for exploitation.
Devising and participating in CTF competitions.
Sharing your expertise with others, through training courses, blog posts, or other output.

Key responsibilities

You will:

Keep abreast of the latest research into web security vulnerabilities and detection techniques, by monitoring the output of other researchers and attending conferences such as AppSec.
Continue honing your own penetration testing skills, by testing bug bounty sites and performing security testing of our own applications.
Devise new labs for the Web Security Academy, showcasing interesting vulnerabilities based on your real-world experience or research developments. This will involve creating outline functional specifications for developers to implement.
Provide subject matter expertise into the generation of learning materials for the Web Security Academy. This will involve producing skeleton outlines for new content (at the level of bullet lists), liaising with in-house technical writers, and reviewing draft materials.
Use Burp Suite continuously as part of your bug bounty and research activities, monitor its performance and accuracy, and provide feedback to our product teams on potential enhancements.
Produce blog posts and other output on general web security topics and the results of your own research.

Essential skills

Web security expert, with deep and broad knowledge of vulnerabilities and how to find and exploit them.
Five plus years of experience of penetration testing web applications.
Power user of Burp Suite Professional and passionate about the product.
Strong communicator, able to explain complex technical details to a less specialist audience.
Effective team player with high EQ and low ego.
Helpful, can-do attitude, generous in sharing time and knowledge with others.
Good time management: able to manage own agenda, multi-task, and work to deadlines.
A track record of published research on web security would be beneficial but is not critical.

Be well rewarded

We firmly believe in paying people what they're worth to us, not just what we can get away with or what they could earn elsewhere. We pay excellent salaries above the normal market level, and this is always determined based on your individual skills and contribution. In addition to a generous base salary, we offer share options and a comprehensive benefits package.

Why join PortSwigger?

We like to have fun (why else would we make a product called Burp?).
We are professional without being corporate.
We encourage a positive work-life balance. We work hard but keep to a normal working day. We don't do stress.
We offer a healthy, high-tech working environment. All our people work on the latest Macs, with dual monitors, sitting-standing desks, and (if they are so inclined) walking treadmills.
We are a close-knit team. We have regular team lunches, evening social events, and amazing parties twice a year.

Meet the Swiggers

We are a diverse group of people with a wide range of interests and backgrounds. What Swiggers have in common is that they all love their work and are exceptionally good at what they do.

Jess H, Journalist

Mike S, Software Developer

Mohamed H, Software Developer

Meet the Swiggers

Vacancy

Web vulnerability researcher

An opportunity to join a world-class web security research team and champion the sharing of knowledge about web security vulnerabilities and how to find them.

Background

Humans aren't resources. PortSwigger is its people; they aren't just a means to the company's ends.

Role details: Web vulnerability researcher

About you

Key responsibilities

Essential skills

Be well rewarded

Why join PortSwigger?

Meet the Swiggers

What to expect from the application process

Why work at PortSwigger?

View all available positions