ServiceNow seeks a Staff Product Security Engineer to serve as the technical core of our bug bounty program within the Product Security Incident Response Team (PSIRT). This is the senior engineer who owns bug bounty reports from intake through resolution: reproducing and validating the vulnerability, assessing its severity, and seeing it through to a verified fix. The work is deeply technical. Reproducing a vulnerability is only the starting point. From there you read the underlying code, identify root cause, and either propose the fix or design it alongside engineering before confirming it holds. You are also the person researchers deal with directly, which makes clear, credible communication as central to the role as the technical analysis itself. As one of the most senior engineers on the team, you will set the standard for how triage is done and mentor earlier-career engineers. Beyond the bug bounty queue, you will conduct variant hunts, perform original platform security research, lead major product security incidents, and run forensic postmortems when a significant issue reaches production. Key Responsibilities Triage and Resolve Bug Bounty Reports Own incoming reports end-to-end: intake, reproduction, severity scoring, root cause analysis, fix verification, and final disposition. Reproduce and validate reported vulnerabilities, building out incomplete proof-of-concept code where needed. Serve as the technical escalation point for the most complex and highest-severity reports, including multi-step exploit chains and cross-system issues. Perform code review and root cause analysis to identify the underlying defect rather than the reported symptom. Propose remediations, or design them with engineering, and verify the fix resolves the issue. Assign and defend severity ratings using the program's severity framework. Route issues to owning teams, file and track defects, and keep vulnerability records accurate through closure. Own Researcher and Stakeholder Communication Act as ServiceNow's primary technical point of contact for bug bounty researchers across the full lifecycle of a report. Handle severity and validity disputes directly, keeping every exchange clear, timely, respectful, and technically credible. Translate technical findings for internal stakeholders and keep engineering and leadership current on status and risk. Mentor the Team and Raise Triage Standards Provide technical mentorship to earlier-career PSIRT engineers, developing depth in reproduction, code analysis, severity judgment, and communication. Set and maintain the bar for triage quality and strengthen program practices over time. Lead Advanced Security Work Beyond Triage Conduct variant hunts to find related instances of reported vulnerabilities before they are discovered externally. Perform original platform security research to surface issues ahead of external researchers. Lead major product security incidents on the PSIRT side, coordinating response across teams under pressure. Run forensic postmortems after significant incidents to determine how the issue reached production, including how design-level flaws bypassed release processes, and confirm that remediations hold.
To be successful in this role, you have: 8+ years of hands-on experience in product security, application security, penetration testing, or vulnerability research. Depth of expertise matters more than years. Expertise in: Common web and application vulnerability classes and exploitation techniques. Vulnerability reproduction, severity assessment, and defensible risk scoring under ambiguity. Coordinated vulnerability disclosure. Code and development fluency: Strong code comprehension in Java, JavaScript, and Python, with the ability to trace root cause in large, unfamiliar codebases and review pull requests. Ability to write code and propose concrete fixes. This is not an application-building role, but you reason fluently in code. Working knowledge of Git, Gradle, Maven, CI/CD pipel
Every tech & IT company hiring across India — with AI match scores — on one live map.
Open the map →