Product Security Engineer

About Supabase: Supabase is the open-source Firebase alternative, built from the ground up to provide developers with enterprise-grade backend capabilities. Born-remote and open-source-first, our globally distributed team of over 280 members across 55+ countries supports a scaling global community of more than 500,000 developers. With over $500M raised from elite technology investors, we build in public, contribute deeply to the open-source ecosystem, and engineer highly scalable tools that developers love. We use what we ship every single day, maintaining a fast-paced, asynchronous workplace focused on absolute technical excellence and speed.

Position Overview

We are seeking a highly analytical, systems-minded Product Security Engineer to join our core Security team and help strengthen how security is built directly into Supabase’s products, platform layers, and cloud engineering workflows. In this critical, high-trust engineering seat, you will partner closely with distributed software engineers, infrastructure squads, and technical leadership to proactively reduce vulnerability risk earlier in the software development lifecycle (SDLC). Your goal is to design and ship secure-by-default systems, balancing sharp technical judgment with pragmatism to improve product defenses without becoming a bottleneck to engineering velocity, deployment speed, or developer autonomy.

Key Responsibilities

• Threat Modeling & Secure Design: Conduct deep-dive threat modeling, secure architecture reviews, and automated code audits to identify and mitigate practical vulnerability vectors.
• Scalable Security Mechanisms: Build, scale, and maintain automated security guardrails, scanning tools, and developer-friendly guardrails that enable rather than restrict velocity.
• Vulnerability & Bug Bounty Management: Manage, expand, and mature our public bug bounty and responsible vulnerability disclosure processes, leading triage, technical validation, and engineering prioritization loops.
• Incident Response & On-Call: Participate in asynchronous security on-call rotations, responding to urgent platform events with clear judgment, rapid technical remediation, and calm execution.
• Risk Prioritization: Analyze complex architectural flaws, distinguishing clearly between purely theoretical exploits and material business risks to map engineering priorities effectively.
• Core Fundamentals Hardening: Harden application security parameters across the platform, with a focus on advanced authentication (Auth), session tracking, API routing, and secure secrets handling.

Required Skills & Qualifications

• Proven professional history operating in application security, product security, or cloud security engineering roles within fast-scaling software environments.
• Demonstrated experience working comfortably across cloud-native developer tools, SaaS frameworks, distributed platforms, or containerized infrastructure products.
• Deep conceptual and hands-on grounding in web application security fundamentals, including modern authentication loops, session management, secure API construction, and secrets isolation.
• Practical exposure running vulnerability triage pipelines, responsible disclosure programs, or production security incident response frameworks.
• Outstanding written communication and interpersonal mechanics, optimized to drive technical clarity and align goals inside a highly collaborative, asynchronous environment.
• Location Context: 100% remote-first full-time operational flexibility open to qualified security engineers operating globally from any country.

Preferred Strategic Indicators (Nice to Have)

• Technical familiarity with or strong operational interest in **Postgres database architectures, Kubernetes container orchestration, or open-source software maintenance**.
• Prior history contributing to open-source security primitives or designing secure defaults inside multi-tenant database-as-a-service (DBaaS) networks.

What We Offer

• The exceptional technical canvas to directly shape, mature, and anchor the core product security posture for a platform scaling to millions of developers worldwide.
• ESOP Participation: Every single team member receives equity ownership allocations, ensuring a shared stake in our long-term commercial success.
• Complete work-from-home remote parameters supported by a dedicated **Tech Allowance** to configure your ideal workspace hardware.
• Comprehensive health insurance covering 100% of the employee’s premium and 80% for direct dependents globally.
• Annual dedicated education allowances to fund your professional development, advanced courses, books, and conference tracking.
• Profound asynchronous schedule flexibility matched with premium **WeWork memberships** anywhere in the world and an epic, annual company-wide off-site week.