An opportunity to join a world-class web security research team and champion the sharing of knowledge about web security vulnerabilities and how to find them.
Background
Based in Cheshire in the United Kingdom, PortSwigger is a global leader in web security. Burp Suite is used by over 17,000 companies in 140 countries to find security vulnerabilities. Our educational and research output is used by millions of people globally to learn about web security.
Our dedicated research team, led by James Kettle, has a track record of pioneering original research into new vulnerability classes and new takes on old bugs, including web cache poisoning, server-side template injection, HTTP request smuggling, CORS misconfigurations, and AngularJS injection.
We would now like to expand the capabilities of our research team with additional expertise in web security vulnerabilities and ways of testing for them.
About you
First and foremost, you're a hacker. You love playing with systems, and breaking them.
You've found your niche in web security: understanding the wealth of vulnerabilities that are out there, how to find them, and how to exploit them.
As a seasoned penetration tester, you've encountered pretty much every kind of web security bug there is. You enjoy telling war stories about the crazy bugs that you've found.
You thrive on sharing your knowledge and helping others to learn. You relish the idea of reaching a global audience and teaching them how to hack the web.
Any of the following get you excited:
- Quirky variations on common vulnerabilities that make them harder to find or exploit.
- Chaining together low-risk vulnerabilities to enable a more serious attack.
- Devising ways to automate tasks that are normally done manually.
- Finding loopholes in input validation or other defenses that most testers give up on.
- Using out-of-band techniques to detect invisible vulnerabilities.
- Spotting overlooked wrinkles in well-worn topics that uncover new possibilities for exploitation.
- Devising and participating in CTF competitions.
- Sharing your expertise with others, through training courses, blog posts, or other output.
Key responsibilities
You will:
- Keep abreast of the latest research into web security vulnerabilities and detection techniques, by monitoring the output of other researchers and attending conferences such as AppSec.
- Continue honing your own penetration testing skills, by testing bug bounty sites and performing security testing of our own applications.
- Devise new labs for the Web Security Academy, showcasing interesting vulnerabilities based on your real-world experience or research developments. This will involve creating outline functional specifications for developers to implement.
- Provide subject matter expertise into the generation of learning materials for the Web Security Academy. This will involve producing skeleton outlines for new content (at the level of bullet lists), liaising with in-house technical writers, and reviewing draft materials.
- Use Burp Suite continuously as part of your bug bounty and research activities, monitor its performance and accuracy, and provide feedback to our product teams on potential enhancements.
- Produce blog posts and other output on general web security topics and the results of your own research.
Essential skills
- Web security expert, with deep and broad knowledge of vulnerabilities and how to find and exploit them.
- 5+ years of experience of penetration testing web applications.
- Power user of Burp Suite Professional and passionate about the product.
- Strong communicator, able to explain complex technical details to a less specialist audience.
- Effective team player with high EQ and low ego.
- Helpful, can-do attitude, generous in sharing time and knowledge with others.
- Good time management: able to manage own agenda, multi-task, and work to deadlines.
- A track record of published research on web security would be beneficial but is not critical.
Be well rewarded
We firmly believe in paying people what they're worth to us, not just what we can get away with or what they could earn elsewhere. We pay excellent salaries above the normal market level, and this is always determined based on your individual skills and contribution.
In addition to a generous base salary, we offer share options and a comprehensive benefits package.
Why join PortSwigger Web Security?
- We like to have fun (why else would we make a product called Burp?).
- We are professional without being corporate.
- We encourage a positive work-life balance. We work hard but keep to a normal working day. We don't do stress.
- We offer a healthy, high-tech working environment. All our people work on the latest Macs, with dual monitors, sitting-standing desks, and (if they are so inclined) walking treadmills.
- We are a close-knit team. We have regular team lunches, evening social events, and amazing parties twice a year.
Read more
What to expect from the application processWhy work at PortSwigger?View all available positionsJob details: web vulnerability researcher
| Timeframe | Permanent position. |
|---|---|
| Location |
Knutsford, Cheshire, United Kingdom. We are minutes from the M6, and easily commutable from Manchester, Stockport, Wilmslow, Warrington, Chester, Crewe, Macclesfield, and Northwich. Note: We can offer a comprehensive relocation package and assistance with visas for applicants from outside of the UK. |
| Salary | We pay excellent salaries above the normal market level, and this is always determined based on your individual skills and contribution. |
| Benefits |
Share options. 8% employer pension contribution. Life assurance: 4x salary. Income protection: full pay for first 6 months of incapacity followed by 75% of salary plus pension contribution. Private medical insurance (Bupa). |
| Holidays | 25 days plus public holidays. |
| Working hours | Core hours are 9am to 5pm, with flexibility to start any time between 8am and 9.30am. |
To apply, or ask any questions, please email careers@portswigger.net.
