Senior OSS-SIRT Engineer / Technical Lead

Company Description

The Linux Foundation is a 501(c)(6) non-profit that provides a neutral, trusted hub for developers and organizations to code, manage, and scale open technology projects and ecosystems.

The Open Source Security Foundation (OpenSSF) is a cross-industry organization at the Linux Foundation that brings together the industry's most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

Job Description

The Senior OSS-SIRT Engineer is the technical authority for vulnerability triage, tooling, workflows, and automation. This role bridges engineering, security analysis, and ecosystem operations, ensuring vulnerability data is accurate, machine-readable, and actionable. This individual acts as the day-to-day technical lead for OSS-SIRT operations and mentors junior engineers.

Responsibilities

• Lead vulnerability triage and validation using OSV-based workflows

• Design and improve ingestion, linting, and curation pipelines

• Coordinate with maintainers, researchers, and CNAs on complex disclosures

• Develop and maintain automation tooling (APIs, CLIs, GitHub Actions, CI hooks)

• Ensure alignment with OSV Schema, CWE, CVSS/EPSS, VEX, and SBOM formats

• Support incident response for high-severity, multi-project vulnerabilities

• Provide technical guidance to the OSS-SIRT Director on feasibility and risk

Qualifications

Prerequisites

• 8+ years in security engineering, PSIRT, or vulnerability research roles

• Hands-on experience with OSS vulnerability disclosure and triage

• Strong understanding of software supply chain security

• Experience working directly with open source maintainers

• Proficiency in scripting or programming (e.g., Python, Go)

Desirable Skills and Background

• Experience with OSV, GitHub Security Advisories, or CNA participation

• Familiarity with SBOM tooling (SPDX, CycloneDX)

• Automation-first security tooling development

Success Metrics (First 24 Months)

• Stable, repeatable triage workflows operational within 3 months

• Automation reducing manual review effort by 30% or more

• High maintainer satisfaction and reduced back-and-forth on submissions

• Successful mentorship of junior OSS-SIRT engineers

Additional Information

Salary: $140,000 – $160,000 USD

All your information will be kept confidential according to EEO guidelines.

The Linux Foundation is unable to provide visa sponsorship for this position. Candidates must be authorized to work in their country of residence without employer sponsorship, now or in the future.