Senior Web Security Engineer, Browser Platform at DuckDuckGo

Who We Are - DuckDuckGo

At DuckDuckGo, we are driven by our mission to elevate the standard of trust online. We are a remote-first team of over 300 individuals, operating in an intense and high-achieving environment. This is a place where you'll be encouraged to push past your perceived limits, building the future of online privacy. Annual revenue exceeds $100M USD, with millions utilizing our browser on Mac, Windows, iOS, and Android, alongside our search engine and Privacy Pro. Our culture emphasizes trust, inclusivity, and empowered project ownership, where each team member takes full responsibility for their work, from initial scoping to post-mortem analysis. We believe in incorporating AI as a core productivity tool, with all team members expected to leverage AI in their daily workflows to drive efficiency, innovation, and impact.

An overview of this role

As a Senior Web Security Engineer on the Browser Platform team, you'll be instrumental in protecting users by enhancing the security of our browser and related web technologies. You will focus on identifying and mitigating security vulnerabilities across our platform, contributing to a secure, private-by-default browsing experience. This role requires deep technical expertise in web security, browser architecture, and a proactive approach to threat detection and prevention. You will work closely with other engineers, product managers, and security researchers to implement robust security measures and stay ahead of evolving threats.

What You'll Do

• Lead security architecture reviews and threat modeling for new browser features and web platform components.
• Identify, analyze, and mitigate web-based security vulnerabilities (e.g., XSS, CSRF, Injection flaws, WebAuthn/WebRTC vulnerabilities).
• Design and implement security enhancements for the browser engine, rendering pipeline, and extensions ecosystem.
• Develop and integrate security tooling into the CI/CD pipeline, including static analysis (SAST), dynamic analysis (DAST), and dependency scanning.
• Conduct security assessments, penetration testing, and code audits of web platform components.
• Respond to security incidents, perform forensic analysis, and drive remediation efforts.
• Collaborate with the broader security team, privacy engineering, and product teams to ensure security best practices are integrated throughout the development lifecycle.
• Contribute to the security roadmap, evaluating new technologies, and advocating for security-first design principles.

Required Skills and Experience

• 8+ years of experience in web security, browser security, or platform security engineering.
• Deep expertise in web technologies (HTML, CSS, JavaScript) and browser architecture (WebView, WebKit, Chromium).
• Proven track record of identifying and mitigating critical security vulnerabilities in complex web applications or browser platforms.
• Strong proficiency in at least one modern programming language (e.g., C++, Rust, Python, Go, JavaScript) for security tooling and development.
• Experience with security features like Content Security Policy (CSP), Subresource Integrity (SRI), and Same-Origin Policy (SOP).
• Familiarity with common web exploits, attack vectors, and defensive mechanisms.
• Experience with security testing tools (e.g., Burp Suite, OWASP ZAP) and vulnerability management processes.
• Demonstrated ability to lead and drive complex security projects independently.
• Strong communication and collaboration skills to work effectively with cross-functional teams.
• Utilizes generative AI responsibly, maintaining human oversight to deliver business-ready outputs and drive measurable improvements in workflow efficiency, cost, and quality.

Pay Transparency Notice

Annual Compensation: $178.5K USD (Base salary varies by location, see range below). Total compensation may also include equity and bonus eligibility, and benefits (medical, dental, vision, 401(k)).

Annual base salary range (excluding equity and bonus): $186,065 - $218,900 USD

Disclosures

• Application Limit: Candidates may submit a maximum of 3 applications within a 6-month period.
• Equal Opportunity Employer: DuckDuckGo is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, protected veteran status, or genetic information. Applicants with criminal histories will be considered consistent with applicable federal, state, and local laws.
• US Applicants: View Employee Rights, Know Your Rights, and E-Verify Notice of Participation.
• Accommodations: If you are an individual with a disability who needs a reasonable accommodation, email us your request and contact info at [email protected]. Need screen reading technology? Click here to download a free compatible screen reader and view the tutorial.
• Data Privacy & Arbitration: By submitting your application, you agree to our Candidate Privacy Notice. US applicants: By submitting your application, you agree to Arbitration of Disputes.
• AI Disclosure: DuckDuckGo is piloting an AI tool based on machine learning technologies to conduct initial screening interviews for qualified applicants. The tool simulates realistic interview scenarios and engages in dynamic conversation. DuckDuckGo is also piloting an AI interview intelligence platform to transcribe and summarize interview notes, allowing our interviewers to fully focus on you as the candidate. DuckDuckGo will not use AI to make decisions impacting employment.

Benefits for U.S. employees

• Medical Plan, Dental and Vision Plan with generous employee contributions (Health Insurance)
• Health Savings Account with company contributions each pay period
• Disability and Life Insurance
• 401(k) plan with company match (401(k) / Retirement Plans)
• Wellness Stipend (Wellness Programs)
• Mobile/Internet Reimbursement (Home Office Stipend)
• Volunteer Time Off
• Fertility Counseling and Benefits (Child Care Support)
• Generous Time off/Leave Policy (Unlimited PTO)
• The option of getting paid in digital currency