Application Security Engineer

Summary

Join Vac's Security service unit as an Application Security Engineer and perform in-depth code reviews, focusing on low-level languages like Rust, Nim, and C++. Identify and address code-level and protocol-level vulnerabilities. Collaborate with development teams to remediate security issues and ensure best practices. Prepare for external security audits, defining scope, organizing documentation, and working with auditors. This hands-on role requires a passion for secure software development and proactive risk mitigation. You will execute incident response activities and contribute to the overall security posture of IFT projects. The position offers a mix of fiat/crypto compensation.

Requirements

• Minimum of 5 years of experience in Web3 security engineering, with proven experience securing blockchain protocols, smart contracts, or cryptographic systems
• Proficiency in low-level programming languages (Rust, Nim, C++)
• Expertise in secure coding practices, including identification of code/protocol-level vulnerabilities (e.g., buffer overflows, injection attacks) and code analysis/debugging
• Experience with manual/automated code review techniques and penetration testing in Web3 ecosystems
• Familiarity with cryptographic protocols, secure protocol design, and blockchain/distributed systems security
• Incident response capabilities (detection, analysis, containment, recovery)
• Experience collaborating with development/product teams to remediate vulnerabilities, including SSDLC processes and external audit preparation
• Strong documentation and communication skills for technical materials and stakeholder interactions (internal teams, auditors)
• Deep interest in blockchain technology and decentralisation

Responsibilities

• Perform in-depth manual and automated reviews of source code (with a focus on low-level languages such as Rust, Nim, and C++) to identify security vulnerabilities and logic flaws
• Analyse and review critical code paths for potential weaknesses
• Identify and assess both code-level vulnerabilities (e.g., buffer overflows, injection flaws) and protocol-level issues (e.g., insecure cryptographic implementations, protocol misconfigurations)
• Execute incident response activities, including detection, analysis, containment, and recovery, while documenting findings and lessons learned for continuous improvement
• Collaborate with development and product teams to remediate identified vulnerabilities, provide security guidance, and ensure secure coding practices are followed
• Define clear audit objectives and scope for external audits, focusing on the most critical components and protocols
• Prepare and organise all relevant documentation (architecture diagrams, codebase, threat models, protocol specifications) to facilitate an efficient and valuable external audit process
• Engage with external auditors early to clarify expectations and provide necessary context, ensuring the audit delivers actionable results
• Address and remediate issues identified in previous audits, and document improvements to demonstrate ongoing security maturity

Preferred Qualifications

• Experience with static and dynamic analysis tools (e.g. CodeQL, Valgrind)
• Knowledge of formal verification methods and tools
• Background in penetration testing or red teaming
• Ability to educate and train others on security best practices
• Contributions to open-source security projects or published security research

Benefits

We are happy to pay in any mix of fiat/crypto