Senior Product Vulnerability Manager

This is a fully remote position, open to applicants in Texas.

📋 Description

• Establishing and upholding the enterprise Product Vulnerability Management framework, which includes processes for intake, triage, prioritization, remediation tracking, and disclosure.

• Creating standardized methodologies for vulnerability triage and risk prioritization that are effective across the organization.

• Developing and implementing corporate-wide vulnerability management policies and standards to ensure our Product Security Incident Response processes align with organizational expectations and regulatory requirements.

• Overseeing the Coordinated Vulnerability Disclosure (CVD) program, which involves managing external intake channels, engaging with researchers, and coordinating efforts.

• Interpreting regulatory requirements (e.g., EU Cyber Resilience Act) and translating them into operational processes, controls, and reporting obligations.

• Defining and managing the enterprise tooling strategy for vulnerability detection (e.g., SAST, DAST, SCA, container scanning), including selection, configuration, and integration into CI/CD pipelines.

• Establishing minimum tooling and coverage baselines across various product types to ensure consistent adoption.

• Defining and operationalizing SBOM-driven vulnerability management practices, which include monitoring and responding to vulnerabilities in third-party components.

• Creating scalable playbooks, guidance, and decision-making frameworks that empower product teams to independently triage and address vulnerabilities.

• Establishing training requirements and developing enablement materials for product teams on processes related to vulnerability identification, triage, and response.

• Implementing metrics, reporting, and dashboards to assess the effectiveness of vulnerability management, including SLA adherence, backlog, and remediation timelines.

• Providing executive-level reporting and insights regarding the product vulnerability risk posture.

• Defining governance processes, including exception handling, risk acceptance, and escalation pathways.

• Leading audit and assessment readiness efforts concerning vulnerability management processes and outputs.

• Building and managing a small team responsible for program operations, tooling, and disclosure coordination.

• Collaborating with Product Security Architects, Engineering, Legal, and Compliance teams to ensure alignment and effective execution throughout the organization.

• Serving as the central authority on product vulnerability management practices within the organization.

• Facilitating a federated operating model where product teams are accountable for remediation while following centralized standards and processes.

• Promoting consistency in vulnerability handling across a broad and diverse product portfolio.

• Ensuring that vulnerability management practices effectively scale across hundreds of products and various technology domains.

• Providing strategic direction for the continuous enhancement of vulnerability management capabilities, tooling, and processes.

• Assisting with regulatory audits and customer inquiries related to vulnerability management and disclosure practices.

⛳️ Requirements

• Proven experience in designing, building, or scaling a vulnerability management or PSIRT program within a product security or application security context.

• Comprehensive understanding of the vulnerability lifecycle, including detection, triage, prioritization, remediation tracking, and disclosure.

• Working knowledge of application security principles and common vulnerability classes (e.g., OWASP Top 10).

• Experience with vulnerability detection tools (SAST, DAST, SCA, container scanning) and their integration into development pipelines.

• Familiarity with defining or applying vulnerability scoring methodologies (e.g., CVSS) in a product context.

• Knowledge of Coordinated Vulnerability Disclosure (CVD) processes and engaging with external researchers.

• Understanding of regulatory requirements related to product security and vulnerability management, such as the EU Cyber Resilience Act (CRA).

• Experience working within or supporting Secure Software Development Lifecycle (SSDL/SSDLC) programs.

• Strong capability to define processes, standards, and governance models that can scale across large organizations.

• Excellent communication skills with the ability to convey technical risks in terms of business impacts.

• Preferred experience operating in large-scale, multi-product environments with distributed engineering teams.

• Preferred experience in establishing or managing SBOM and software supply chain vulnerability programs.

• Preferred experience with vulnerability disclosure programs or bug bounty platforms.

• Preferred experience in regulated industries or environments with stringent compliance requirements.

• Preferred experience with Agile/SAFe methodologies.

• Preferred experience leading or mentoring small, high-impact teams.

🏝️ Benefits

• Competitive salary and rewards package

• Competitive benefits and annual leave offering, allowing for work-life balance

• A vibrant, welcoming & inclusive culture

• Extensive career development opportunities and resources to maximize your potential