Security Analyst, Bug Bounty Remote - Americas

We're looking for two curious and detail-oriented individuals to join Shopify's Trust & Security Team as a Security Analyst for our bug bounty program.

As part of the Application Security team in Trust, you'll contribute to Shopify's mission of making commerce better and safer for everyone. The team focuses on discovering, fixing, and preventing security vulnerabilities across Shopify's code and ecosystem. Our bug bounty program enables us to collaborate with a global hacker community to identify security issues.

1. Assess, validate, retest, and close bug bounty reports.
2. Escalate complex reports to application security engineers.
3. Coordinate with internal teams to resolve bug bounty reports.
4. Communicate with hackers on the platform and answer questions about their reports.
5. Participate in security incident response activities related to bug bounty reports.
6. Create and maintain internal and external documentation supporting the program.
7. Contribute to process and program improvements.

• Understanding of common security issues such as the OWASP Top 10.
• Experience with DAST tools like Burp Suite.
• Excellent communication skills—clear, concise, friendly, and firm.
• Ability to assess and escalate high vs. low risk issues effectively.
• Experience communicating with diverse audiences and de-escalating tense situations.
• Ability to maintain a consistent operational rhythm.
• Strong investigative, analytical, and decision-making skills.
• Basic understanding of how web requests and applications work.
• Foundational cybersecurity knowledge and awareness of common risks.
• A desire to build a career in cybersecurity.

Preferred but not required:

• Experience with Ruby development.
• Participation in bug bounty or previous bounty program experience.
• Experience working with system owners to remediate issues.
• Familiarity with frameworks such as CVSS.
• Passion for bug bounty programs and the hacker community.