Senior Application Security Engineer (Next.js & Cloud-Native HealthTech)

Build and own the application security function from the ground up, ensuring our patient-facing platform is hardened against real-world threats before our first user logs in.

Perform deep-dive manual security review of our Next.js/React 19 codebase, specifically targeting auth logic, business logic flaws, and data access patterns in server actions and API routes. Threat model critical user journeys (e.g., patient data access, practitioner authentication). Own the relationship with external security researchers. Implement and fine-tune SAST and SCA tooling to minimize noise and maximize signal. Partner with cloud engineers to triage and remediate findings from AWS Security Hub. Document and champion secure configurations for Vercel, Clerk, and our private networking setup.

• Critical account takeover class of vulnerability (e.g., insecure server actions) isverifiably eliminated from the Next.js codebase; root cause is addressed with ascalable, preventative control.
• A formal Responsible Disclosure Program is live, with a clear, respectful processfor security researcher intake, triage, and communication.
• Automated security scanning (SAST/SCA) is integrated into the CI/CD pipeline, providing fast feedback to developers on critical findings.

• A comprehensive threat model for the patient and practitioner portals is documented, has identified the top 5 risks, and is actively informing the security roadmap.
• Secure coding guidelines for our stack (Next.js, Server Actions, API routes) areestablished and have been adopted by the development team.
• The backlog of critical and high-severity findings in our cloud environment (AWS Security Hub, Config) has been reduced by at least 75%.

• You’ve found, fixed, and explained critical web vulnerabilities (OWASP Top 10) in modern JavaScript frameworks (React/Next.js).
• You have a deep, practical understanding of authentication and authorization flows (JWTs, sessions, middleware) and, more importantly, how to break them.
• You are comfortable navigating cloud security tools (AWS Security Hub, GuardDuty,IAM Access Analyzer) to triage and advise on infrastructure findings.
• You have experience running or actively participating in a bug bounty or vulnerabilitydisclosure program. You know how to talk to researchers.

• Greenfield Security Ownership: This isn’t about maintaining a legacy program. Youwill build our application security function from scratch, establishing the tools,processes, and culture your way.
• Immediate, Critical Impact: Your work will directly protect sensitive patient andpractitioner data from day one, forming the bedrock of our product's trustworthiness.
• A Modern, Interesting Stack: Secure a cutting-edge architecture (Next.js 15 onVercel, serverless backends, PrivateLink) where the application layer is the truesecurity frontier.
• Build it right, then fast: We obsess over quality and are giving you the mandate tobuild in the right security foundations before we scale.
• Interdisciplaniry, seasoned team: You’ll work directly with a physician-CEO (deep user-researchmindset), a lawyer-COO (operations and compliance rigor), and a CTO with a decadein full-stack data science.