Note: The job is a remote job and is open to candidates in USA. ServiceNow is a leading provider of innovative security solutions, aimed at reducing risk and protecting both the company and its customers. They are seeking a Senior Staff Product Security Engineer to serve as a technical authority within the Product Security Incident Response Team (PSIRT), leading investigations and coordinating responses to significant security vulnerabilities.
Responsibilities
- Provide additional response coverage outside of normal working hours for significant product vulnerabilities as they emerge
- Demonstrate technical and organizational leadership during these events—bringing structure and clear decision-making under pressure
- Partner with incident commanders, business information security leadership, engineering, and customer-facing teams to maintain clear ownership, workstream prioritization, and hand-offs during these events
- Drive coordinated response across affected releases, balancing risk and remediation feasibility
- Leverage an understanding of product development cycles and engineering/product partnerships to move fixes through the release pipeline without stalling on organizational boundaries
- Verify fix completeness and guard against incomplete mitigations before release
- Lead ServiceNow's CVE disclosure process—owning CVE assignment, scoring, advisory content, and publication timing
- Collaborate with external security partners, vendors, and researchers on coordinated disclosures, aligning timelines and messaging across parties
- Conduct technical accuracy reviews of external advisories, researcher write-ups, and joint disclosure content to ensure correctness before publication
- Represent PSIRT's technical position in multi-party coordinated disclosures and researcher engagements
- Author postmortems and drive lessons learned to closure following product security incidents
- Participate in retrospectives following significant product security events, translating findings into concrete process and technical improvements
- Contribute to partner teams tracking product security risk themes and trends across the portfolio
- Contribute to SDLC improvement areas, feeding incident learnings upstream into secure development practices
Skills
- Minimum 12 years of related experience with a Bachelor's degree; or 8 years with a Master's degree; or a PhD with 5 years of experience; or equivalent experience
- Minimum 5 years of auditing source code for security vulnerabilities
- Demonstrated leadership during significant security events or major incidents, with willingness to participate in on-call
- Ability to read and comprehend Java and JavaScript code
- Strong understanding of common Java and JavaScript vulnerabilities
- Proficiency in scripting in both Python and JavaScript for data gathering, processing, and visualization
- Development of proof-of-concept exploits for web application vulnerabilities
- Written and verbal communication of complex security risk clearly to both technical teams and leadership
- Experience with leading fix implementation and release coordination across engineering, product, and test/release teams
- Proficiency in deep-dive product security investigations and root-cause analysis spanning design, code, configuration, and operational layers
- Exploit analysis and proof-of-concept development that distinguishes real exploitability from theoretical risk
- Familiarity with SDLC integration, CI/CD pipelines, SaaS threat models, and secure development practices
- Experience leading a CVE disclosure process, including CVE assignment, scoring (CVSS), and advisory publication
- Experience in a PSIRT or similar function for a major software or SaaS platform
- Recognized expertise in product security incident response, vulnerability research, or application security within a software or SaaS environment
- Experience conducting vulnerability assessments on the ServiceNow platform
- Experience with emerging threats: AI-specific attack vectors, software supply chain security, and SDLC tooling security
- Experience with cloud infrastructure (AWS, Azure, GCP) and containerized environments
- Relevant security certifications (e.g., OSWE) or demonstrated equivalent expertise
Benefits
- Equity (when applicable)
- Variable/incentive compensation
- Health plans
- Flexible spending accounts
- A 401(k) Plan with company match
- ESPP
- Matching donations
- A flexible time away plan
- Family leave programs
Company Overview
Company H1B Sponsorship