Security Developer

Remote
Full Time
Mid Level
Working with the Python Security Response Team, Python core team, and Python Package Index (PyPI) admins to ensure Python is secure for its global and diverse user base. The core mandate for this role is to drive vulnerability reports to remediations and advisories, mitigating malware on the PyPI, and developing solutions to scale our capacity to respond ahead of the growth curve.

You’ll be part of the small-but-mighty team at the Python Software Foundation, the US non-profit organization working every day to help Python and its community thrive. Most of your days will be time-boxing between day-to-day vulnerability coordination and malware handling work alongside long-term projects like documentation, tool development, and gathering and sharing metrics.

Core Responsibilities & Development
  • Triage and remediate vulnerabilities in CPython and related projects in coordination with the Python core team.
  • Remediate malware and supply-chain attacks for projects on the Python Package Index.
  • Maintain and operate infrastructure for the Python Security Response Team, PSF CVE Numbering Authority, and security tools in use by Python, like OSS-Fuzz.
  • Propose and develop improvements to the above workflows to scale the response to meet future demand. 
Standards, Documentation, Communications
  • Work with the Python Security Response Team and Python core team to develop and refine vulnerability and secure development practices.
  • Work with the Python core team to document the security and threat models for the Python programming language, standard library, and related projects.
  • Researching, authoring, and publishing public communications about metrics, impact, and potential future work for Python security.
Qualifications

3-5 years experience with Python or C programming languages. Knowledge about vulnerabilities affecting programs written in C, such as memory safety issues. Asynchronous and written communication skills with the ability to manage and prioritize multiple concurrent threads. Experience working with open source projects and communities is a plus.

Security certifications are not required. An ideal candidate will have a collaborative and flexible attitude suited to working with a community of passionate volunteers on small, mutually-supporting teams. Don’t worry if you don’t check all the boxes or aren’t a “security expert”, above all we’re looking for someone who is eager to learn while securing the many domains and users the Python language serves.

Desired Experience

Experience with secure development practices for Python and C programming languages. Experience with vulnerability disclosure, CVE, security teams, and threat models. Experience with code quality and security tools like fuzz-testing, address and memory sanitizers. Experience writing technical documentation. Experience working in public or with open source projects.

Details
  • Location: Global remote. Regular collaboration with US timezones will be required.
  • Compensation: $70-$170K (Based on experience and local employment package norms. US employees are eligible for healthcare and other benefits)
  • Term: 1 year, with possibility of renewal
  • Travel: One trip per year to PyCon US.

The Python Software Foundation is a US 501(c)(3) non-profit corporation that holds the intellectual property rights behind the Python programming language. We also run the PyCon US conference annually, support other Python conferences/workshops around the world, and fund Python-related development with our grants program. To see more info about the PSF, check out our Annual Impact Report and public records.

We believe that the future of open source must include everyone. We welcome all job-seekers regardless of race, color, ethnicity, religion, age, sexual orientation, gender identity or expression, national origin, physical appearance, body size, socio-economic, veteran or disability status. Python is a global community and the PSF aims to support a safe environment for all. More information can be found on our Code of Conduct page.

Share

Apply for this position

Required*
We've received your resume. Click here to update it.
Attach resume as .pdf, .doc, .docx, .odt, .txt, or .rtf (limit 5MB) or Paste resume

Paste your resume here or Attach resume file