Skip to main content

Staff Product Security Engineer

See all jobs

Company Description

It all started when engineer Fred Luddy wrote code that automated a tedious task for his coworker, Phyllis. She cried tears of joy. That moment inspired Fred to build a company that could do that for everyone—freeing people from busywork so they could focus on meaningful work. Today, ServiceNow is the AI control tower for business reinvention. Our ServiceNow AI platform brings together any AI, any data, and any workflow— helping 85% of the Fortune 500® work smarter, faster, and better. We're building an AI-native culture where technology and talent are unstoppable together. And we're just getting started.

Join us to put AI to work for people.

Job Description

ServiceNow seeks a Staff Product Security Engineer to serve as the technical core of our bug bounty program within the Product Security Incident Response Team (PSIRT). This is the senior engineer who owns bug bounty reports from intake through resolution: reproducing and validating the vulnerability, assessing its severity, and seeing it through to a verified fix. 

The work is deeply technical. Reproducing a vulnerability is only the starting point. From there you read the underlying code, identify root cause, and either propose the fix or design it alongside engineering before confirming it holds. You are also the person researchers deal with directly, which makes clear, credible communication as central to the role as the technical analysis itself. 

As one of the most senior engineers on the team, you will set the standard for how triage is done and mentor earlier-career engineers. Beyond the bug bounty queue, you will conduct variant hunts, perform original platform security research, lead major product security incidents, and run forensic postmortems when a significant issue reaches production. 

Key Responsibilities 

Triage and Resolve Bug Bounty Reports 

  • Own incoming reports end-to-end: intake, reproduction, severity scoring, root cause analysis, fix verification, and final disposition. 
  • Reproduce and validate reported vulnerabilities, building out incomplete proof-of-concept code where needed. 
  • Serve as the technical escalation point for the most complex and highest-severity reports, including multi-step exploit chains and cross-system issues. 
  • Perform code review and root cause analysis to identify the underlying defect rather than the reported symptom. 
  • Propose remediations, or design them with engineering, and verify the fix resolves the issue. 
  • Assign and defend severity ratings using the program's severity framework. 
  • Route issues to owning teams, file and track defects, and keep vulnerability records accurate through closure. 

Own Researcher and Stakeholder Communication 

  • Act as ServiceNow's primary technical point of contact for bug bounty researchers across the full lifecycle of a report. 
  • Handle severity and validity disputes directly, keeping every exchange clear, timely, respectful, and technically credible. 
  • Translate technical findings for internal stakeholders and keep engineering and leadership current on status and risk. 

Mentor the Team and Raise Triage Standards 

  • Provide technical mentorship to earlier-career PSIRT engineers, developing depth in reproduction, code analysis, severity judgment, and communication. 
  • Set and maintain the bar for triage quality and strengthen program practices over time. 

Lead Advanced Security Work Beyond Triage 

  • Conduct variant hunts to find related instances of reported vulnerabilities before they are discovered externally. 
  • Perform original platform security research to surface issues ahead of external researchers. 
  • Lead major product security incidents on the PSIRT side, coordinating response across teams under pressure. 
  • Run forensic postmortems after significant incidents to determine how the issue reached production, including how design-level flaws bypassed release processes, and confirm that remediations hold. 

Qualifications

To be successful in this role, you have:

  • 8+ years of hands-on experience in product security, application security, penetration testing, or vulnerability research. Depth of expertise matters more than years. 

Expertise in: 

  • Common web and application vulnerability classes and exploitation techniques. 
  • Vulnerability reproduction, severity assessment, and defensible risk scoring under ambiguity. 
  • Coordinated vulnerability disclosure. 

Code and development fluency: 

  • Strong code comprehension in Java, JavaScript, and Python, with the ability to trace root cause in large, unfamiliar codebases and review pull requests. 
  • Ability to write code and propose concrete fixes. This is not an application-building role, but you reason fluently in code. 
  • Working knowledge of Git, Gradle, Maven, CI/CD pipelines, and secure SDLC. 
  • Proficiency with Claude Code or equivalent AI coding assistant for code comprehension and security research. 
  • Exceptional written communication. You will represent ServiceNow directly to external researchers, frequently in disagreement, and bridge those researchers and internal engineering. This is a core requirement of the role, not a supporting skill.

Additional Information

Work Personas

We approach our distributed world of work with flexibility and trust. Work personas (flexible, remote, or required in office) are categories that are assigned to ServiceNow employees depending on the nature of their work and their assigned work location. Learn more here. To determine eligibility for a work persona, ServiceNow may confirm the distance between your primary residence and the closest ServiceNow office using a third-party service.

Equal Opportunity Employer

ServiceNow is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, national origin, age, disability, gender identity,  veteran status, or any other category protected by law. In addition, all qualified applicants with arrest or conviction records will be considered for employment in accordance with legal requirements.  

Accommodations

We strive to create an accessible and inclusive experience for all candidates. If you require a reasonable accommodation to complete any part of the application process, or are unable to use this online application and need an alternative method to apply, please contact [email protected] for assistance. 

Export Control Regulations

For positions requiring access to controlled technology subject to export control regulations, including the U.S. Export Administration Regulations (EAR), ServiceNow may be required to obtain export control approval from government authorities for certain individuals. All employment is contingent upon ServiceNow obtaining any export license or other approval that may be required by relevant export control authorities. 

From Fortune. ©2026 Fortune Media IP Limited. All rights reserved. Used under license.

Staff Product Security Engineer

Apply Now
Share