Staff Software Engineer, Security - job 1 of 2

Hi, we're The Browser Company 👋 and we're building a better way to use the internet.

Browsers are unique in that they are one of the only pieces of software that you share with your parents as well as your kids. Which makes sense, they're our doorway to the most important things — through them we socialize with loved ones, work on our passion projects, and explore our curiosities. But on their own, they don’t actually do a whole lot, they’re kind of just there. They don’t help us organize our messy lives or make it easier to compose our ideas. We believe that the browser could do so much more — it can empower and support the amazing things we do on the internet. That’s why we’re building one: a browser that can help us grow, create, and stay curious.

To accomplish this lofty task, we’re building a diverse team of people from different backgrounds and experiences. This isn’t optional, it’s crucial to our mission, as we need a wide range of perspectives to challenge our assumptions and shape our browser through a bold, creative lens. With that in mind, we especially encourage women, people of color, and others from historically marginalized groups to apply.

About The Role

As a Staff Software Engineer, Security at The Browser Company, You will lead and ship Dia-specific security features that make the product enterprise-ready and resilient by default. This is a hands-on role focused on execution: you’ll drive the highest-impact security work across client and server surfaces, coordinate with multiple teams to sequence priorities, and continually account for AI-driven risks (prompt injection, tool abuse, data exfiltration) in every design and review. You will report to the Head of Security, working closely with Product, Infra, IT, and Legal to ship security features fast.

Overall you will...

• Design and ship enterprise security features in the Dia product: MDM policies/profiles, managed accounts, SSO/SAML/OIDC, SCIM provisioning, RBAC/permissions, and audit logging.

• Develop and uphold security policies and procedures across the organization, support compliance efforts, and lead incident response.

• Drive Dia’s security architecture and threat modeling across client and backend surfaces with an AI-first threat lens.

• Secure cross-device sync end-to-end: key management, encryption-at-rest/in-transit, integrity protections, recovery/rotation, and abuse prevention.

• Expand and run vulnerability management for Dia (client, services): SCA/SBOM, static/dynamic analysis, fuzzing, dependable patch pipelines, triage SLAs, and coordinate with our partners to improve bug bounty intake process.

• Harden both the client and services: sandboxing/isolation, content sanitization for untrusted web inputs, permission and capability scoping, and secure-by-default frameworks.

• Develop AI-aware defenses that make our systems intrinsically secure, with guardrails against prompt injection/jailbreaks, output filtering/policy enforcement, red teaming/adversarial testing, and incident playbooks.

• Establish metrics and dashboards tracking the effectiveness of our security infrastructure and programs (e.g., vuln backlog burn-down, time-to-patch, coverage of enterprise controls) to guide priority and measure impact.

Technical Projects You’ll Shape With Us…

• Architect and deliver enterprise security features for Dia, including MDM integration, managed accounts, and advanced authentication/authorization controls.

• Architect and implement of secure cross-device syncing capabilities, focusing on cryptography, key management, and recovery processes.

• Build and refine vulnerability management processes, including static and dynamic analysis, fuzzing, and coordination with external partners for bug bounty intake.

• Collaborate with engineering and product teams to embed secure-by-default patterns and frameworks throughout Dia’s codebase.

• Drive the creation and evolution of security metrics and dashboards to measure and communicate impact across the organization.

• Join our team’s on-oncall rotation, helping the team keep our services reliable and responding to production and security incidents.

Qualifications

• 5+ years leading large-scale security engineering projects and shipping security features in production.

• Strong coding skills in one or more of Golang, Swift, TypeScript, or Python; comfortable working across native client and backend services.

• Excellent cross-functional communication; able to align and coordinate across Product, Infra, IT, and Legal to deliver high-impact outcomes quickly.

• Privacy-minded with a bias for high-velocity execution and clear prioritization.

• Our team is based in North American time zones and require that folks have 4+ hours of overlap time with team members in Eastern Time Zone.

Experience in the below areas is not required, but would be nice to have:

• Proven vulnerability management execution: SCA/SBOM, code scanning/fuzzing, triage, and fast patch pipelines.

• Familiarity with client side software development. With Browser or Chromium development a plus.

• Familiarity with designing and working with crypto and key management is a plus

• Familiarity with AI/LLM security risks (prompt injection, tool-use abuse, data exfiltration) and practical guardrail patterns.

Compensation and Benefits

💰 With our flexible compensation model, employees have the ability to choose the cash-to-equity ratio that best suits their individual needs. Every offer we extend includes three options: a salary-optimized offer, an equity-optimized offer, and a balanced offer.

The annual salary range for this role is $225,000-$300,000. The actual salary range offered will vary based on experience level and interview performance.

🧘🏻‍♀️ In addition to a competitive salary and equity package, we provide every employee with the following benefits:

• comprehensive benefits package with employee medical, dental, and vision - we cover 100% of premiums for employees, and up to 95% for dependents

• 401k plan

• flexible vacation policy - on average, our team members take between 15-20 vacation days a year, plus federal holidays (holidays vary by location)

• remote-friendly working environment - our core working hours are 11 AM-2 PM Eastern Time Monday-Friday

• 12 weeks of paid parental leave

• $1,500 USD home office stipend

• Employees based in the US also receive additional services like free annual memberships to One Medical (where available), Talkspace, Teladoc, and HealthAdvocate

The Browser Company is a well-funded, ambitious startup of close to 100 people (and growing!) who are passionate about building great products. We are a remote-first, distributed team, with the option to work from office in Brooklyn, New York. We strongly support diversity and encourage people from all backgrounds to apply. 

🚙 To read more about what we value as a company, check out Notes on Roadtrips on our blog.