Security Engineer – Bug Bounty

Interactive Brokers Group, Inc. (Nasdaq: IBKR) is a global financial services company headquartered in Greenwich, CT, USA, with offices in over 15 countries. We have been at the forefront of financial innovation for over four decades, known for our cutting-edge technology and client commitment.

IBKR affiliates provide global electronic brokerage services around the clock on stocks, options, futures, currencies, bonds, and funds to clients in over 200 countries and territories. We serve individual investors and institutions, including financial advisors, hedge funds and introducing brokers. Our advanced technology, competitive pricing, and global market help our clients to make the most of their investments.

Barron's has recognized Interactive Brokers as the #1 online broker for six consecutive years. Join our dynamic, multi-national team and be a part of a company that simplifies and enhances financial opportunities using state-of-the-art technology.

Security Engineer - Bug Bounty 

About the Role 

We are looking for a Security Engineer focused on Bug Bounty who treats researcher reports as security data, not support tickets. This is not a coordination role — you will be hands-on validating vulnerabilities, reproducing exploits, and working directly with engineering teams to drive fixes. You will own the full lifecycle of the program: scope design, triage, researcher relations, remediation tracking, and the upstream feedback that turns external findings into internal controls. 

The other half of this role is developer partnership. Findings that sit in a backlog do not improve security. You will reduce the friction that keeps confirmed vulnerabilities from being fixed — translating researcher reports into clear remediation guidance, removing ambiguity that slows engineers down, and identifying the process or tooling gaps that let the same vulnerability class appear repeatedly. 

A deep understanding of how vulnerabilities actually work — not just how to classify them — is fundamental to success here. 

What You'll Do 

• Own day-to-day operations of the bug bounty program on the managed platform, including report triage, severity assessment, researcher communication, and payout decisions — maintaining SLA compliance across all inbound volume 

• Reproduce and technically validate submitted vulnerabilities across web, API, mobile, and trading infrastructure attack surfaces — reason independently about exploitability in context, not just what the report claims 

• Classify findings using CVSS, OWASP, and business impact criteria; distinguish genuine risk from theoretical severity; escalate critical issues into incident response workflows with enough context for engineering leadership to act immediately 

• Act as a remediation partner, not just a reporter — work directly with developers to clarify findings, provide exploit context, reproduce issues where needed, and give fix guidance grounded in how the vulnerability actually works; track what slows remediation and fix it 

• Identify recurring vulnerability classes across inbound reports and feed patterns back into AppSec initiatives — SAST rule tuning, developer training, design review checklists — closing the loop from external discovery to internal prevention 

• Maintain program scope, out-of-scope guidance, and rules of engagement; adjust based on surface area changes, new products, and program maturity signals 

• Coordinate with legal, compliance, and communications on responsible disclosure edge cases, researcher disputes, and public disclosure timelines 

• Produce monthly and quarterly program metrics for security leadership — coverage, triage velocity, remediation cycle times, finding trends — with enough analytical depth to drive program decisions 

• Evaluate attack surface expansions — new APIs, products, acquisitions — for readiness to enter program scope 

What We're Looking For 

These are the capabilities that matter for this role. Strong candidates will not check every box. Depth in vulnerability validation and developer partnership matters more than broad platform familiarity. If you have operated on both sides of the researcher-developer relationship, we want to hear from you. 

• 2–5 years in application security, penetration testing, bug bounty operations, or a security engineering role with hands-on validation focus 

• Strong foundational knowledge of how web application vulnerabilities work at a technical level — SSRF, IDOR, auth bypass, injection classes, business logic flaws, API authorization failures, OAuth misconfigurations — not just awareness of their names 

• Ability to read a researcher report and independently reason about exploitability in the specific context of the application — understand trust boundaries, data flow, and what an attacker would actually need to trigger the finding 

• Experience operating a bug bounty or vulnerability disclosure program on a managed platform — Bugcrowd, HackerOne, or equivalent — with ownership of triage decisions and researcher communication 

• Strong written communication under pressure — you will be writing triage decisions to elite researchers and remediation guidance to developers simultaneously; both audiences require clarity and credibility 

• Familiarity with REST and GraphQL API security, OAuth 2.0 flows, session management, and web application architecture at the level needed to validate findings without relying on the researcher's reproduction steps alone 

• Ability to work cross-functionally with engineering teams — translate security findings into actionable, developer-friendly guidance that engineers will actually implement rather than defer 

Nice to Have 

• Active bug bounty participation as a researcher — candidates who have filed reports themselves understand what makes a finding credible, what frustrates researchers about triage decisions, and how to run a program that retains high-signal contributors 

• Development background — candidates who have written production code and personally addressed security vulnerabilities bring a fundamentally different perspective to remediation partnership; they understand why developers make the choices they do, where fixes break things, and how to give guidance that engineers will actually act on 

• Experience in financial services or a similarly regulated environment — understanding the compliance overlay on remediation timelines and disclosure decisions changes how you prioritize and escalate 

• Scripting ability in Python or Bash — for triage automation, scope monitoring, duplicate detection, or metrics extraction from platform APIs 

• Familiarity with DAST tooling (Burp Suite Pro, Nuclei, ZAP) — candidates who can independently reproduce and extend researcher findings without relying solely on the submitted reproduction steps are significantly more effective in this role