Senior Web Security Engineer, Browser Platform at DuckDuckGo

Who We Are

Hi, we're DuckDuckGo, the online protection company and a remote-first team of over 300 individuals dedicated to raising the standard of trust online. Established in 2008 and profitable since 2014, our annual revenue now surpasses $100 million USD, and millions of users rely on our browser across Mac, Windows, iOS, and Android, our search engine, and our subscription services. Our culture is built on trust, inclusivity, and empowered project management, where every team member takes full ownership of their projects, from initial scoping and execution to post-mortem analysis. If you are looking for end-to-end ownership of your work, you've found the right place!

Your Team and Role

Working within the Security Functional Team, you will play a crucial role in ensuring that our security capabilities evolve in tandem with our rapid product development, directly protecting users across all our offerings. You will also be responsible for maintaining the company's incident detection and response capabilities and contributing to general security-related projects. Recent initiatives have included browser security audits and SERP security mitigations.

As a Senior Web Security Engineer, Browser Platform, your responsibilities will include conducting browser security audits (covering special pages, DuckAI integrations, password manager, etc.), implementing SERP security mitigations (such as XSS prevention and developing tools to help engineers write safer code), managing the setup of application security scanning infrastructure (including SAST/DAST integrations in GitHub), leading internal red-team operations (simulated attack scenarios), supporting security triage, and much more!

About You

• 7+ years of experience in web or application security, demonstrated through performing security assessments, vulnerability research, penetration testing, or secure code review.
• Advanced programming or scripting experience with JavaScript. Any additional experience with our tech stack, which includes Swift/Kotlin/C#/JavaScript (for native apps) or JavaScript/Perl/Go (for search), is a bonus.
• Experience with at least one WebView technology (WebKit, WebView2, Chromium WebView, etc.) and a deep understanding of browser security models (e.g., SOP, CSP, CORS, SameSite cookies).
• Hands-on experience identifying and exploiting various web vulnerabilities (including XSS, CSRF, injection attacks, authorization flaws, etc.).
• Familiarity with various security testing tools and frameworks.
• Proven experience partnering and collaborating with Product Engineers, advising on security matters, and helping teams deliver secure code more rapidly.
• Experience in shaping an organization's approach to security, including driving best practices, improving processes, and elevating security standards across all teams.

Compensation

The annual compensation for this role is $178,500 USD, plus stock options. Compensation is consistent within each professional level, irrespective of geographic location or functional area, ensuring transparency across the organization. Our Team Member Support Guide provides details on how we prioritize your well-being, including benefits such as paid parental leave, home office setup allowances, and co-working stipends.

Hiring Process

We believe hiring is a mutual process. Learn more about how we help you understand DuckDuckGo, visualize your future role here, and discover details about our hiring approach.

Diversity, Equity and Inclusion

DuckDuckGo provides equal work opportunities to all team members and applicants, strictly prohibiting discrimination and harassment of any kind based on race, color, ethnicity, caste, religion, age, sex (including pregnancy), national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by our policies or applicable federal, state, or local laws. We are committed to ensuring our hiring process is accessible. If you require reasonable accommodation for any part of the application process due to a medical condition or disability, please email [email protected] to inform us of your specific request.

Please Note That:

• You will be required to attend meetings on camera via video conferencing.
• Expect to travel at least two times a year, once for our all-hands meetup and again for a team retreat, each lasting approximately 4-5 days. While extenuating circumstances may impact attendance, everyone is strongly encouraged to attend.
• While we offer a flexible work arrangement with no core hours, expect an average full-time commitment of 40 hours per week.
• A successful candidate must pass a background check as a condition of joining the team.
• By applying for this role, you confirm that all information submitted is accurate and complete. You further acknowledge that providing false or fraudulent information during the application process is grounds for denial of an offer, revocation of any existing offer, or other adverse action, up to and including termination after the commencement of your work.

Disclosure Statement: Use of AI in Hiring Process

As part of our commitment to enhancing our recruitment process, we utilize artificial intelligence (AI) technology to assist in reviewing and summarizing job applications and test projects, including tools integrated into our recruitment vendor platforms. We use AI to identify potentially fraudulent applications, analyze and summarize applicants' experience, interviews, and project performance, and help streamline our selection process.

Key Principles:

• Data Privacy: All information provided in your application will be handled in accordance with our Recruiting Privacy Policy. We ensure that your personal information is protected and used solely for recruitment purposes.
• Human Oversight and Accountability: The AI technology is designed to support our hiring team by providing insights and summaries of applications and evaluations of test projects against scoring rubrics. However, all final evaluations and hiring decisions will be made by our hiring team, who will consider the AI's input alongside other factors.
• Transparency: We believe in transparency regarding our hiring practices. If you have any questions about how AI is used in our recruitment process, please feel free to reach out to us.

By submitting your application, you acknowledge and consent to the use of AI technology in our review process. If you would like to request an alternative selection process, please contact us at [email protected]. Thank you for your interest in joining DuckDuckGo!