Sr Product Security Engineer

Overview The AI orchestration of your wildest imagination. n8n is the open workflow orchestration platform built for the new era of AI. We give technical teams the freedom of code with the speed of no-code, so they can automate faster, smarter, and without limits. Backed by a fiercely inventive community and 500+ builder-approved integrations, we’re changing the way people bring systems together and scale ideas for impact.Since our founding in 2019, we’ve grown into a diverse team of over 160 people working across Europe and the US, connected by a shared builder spirit with our centre of gravity in Berlin. That’s the company we’ve built. Now we’d love to see what you can build. If you’re applying, try n8n out - whether you’re technical or not - and share a screenshot of your first workflow with us. The easiest place to start is here: app.n8n.cloud/register.We’re in a defining moment of an incredible journey. Come and build with us.Role We are seeking a Senior Product Security Engineer to join our engineering organization as our first dedicated security hire. In this role, you will take primary ownership of n8n’s product security posture and work closely with the VP of Engineering to establish security as a core pillar of our engineering culture. This is a foundational role with significant autonomy and influence. You will define priorities, design processes, and implement pragmatic security practices that scale with a fast-growing, open-source-driven SaaS platform. While you will initially operate as a senior individual contributor, this role has the potential to evolve as n8n grows. You will partner with a 50+ person engineering organization across multiple product areas, acting as both a hands-on security expert and a trusted advisor who enables teams to ship securely without unnecessary friction.Key ResponsibilitiesVulnerability Management & DisclosureOwn and operate n8n’s vulnerability intake and triage process, including the inboxDesign, improve, and run a robust Vulnerability Disclosure Program (VDP) with clear SLAs and escalation pathsCoordinate private fixes for high-severity issues and manage coordinated disclosure timelinesCreate and manage GitHub Security Advisories (GHSA)Coordinate bug bounty payouts and researcher communication for validated findingsDefine and operate patch and release processes for security fixes, including customer-specific timelines where requiredSecurity Tooling & AssessmentEvaluate, implement, and maintain security tooling across the SDLC (SAST, DAST, dependency scanning, container scanning, SBOMs)Own configuration, tuning, and triage workflows for existing tools (currently Aikido)Plan and manage third-party penetration tests, including scoping, vendor coordination, and remediation trackingConduct internal security assessments and lightweight red-team or tabletop exercises appropriate to company scaleIncident Response & Security CommunicationLead coordination of security incidents from detection through resolutionDrive incident tracking and remediation workflows in LinearAuthor security advisories and contribute to internal and external post-incident reviewsCommunicate clearly, calmly, and empathetically with customers and users during security incidents, in partnership with engineering and leadershipSecurity Program DevelopmentDefine and maintain security policies, standards, and public-facing disclosure documentationManage relationships with security researchers and bug bounty platforms (e.g., HackerOne, Bugcrowd)Track industry trends, emerging vulnerabilities, and relevant research, proactively applying learnings to n8n’s environmentHelp shape longer-term security strategy and roadmap in collaboration with engineering leadershipSecure SDLC IntegrationEmbed security into the software development lifecycle through threat modeling, design reviews, and pragmatic guardrailsAdvise engineering teams on secure coding practices and common vulnerability patternsProduce clear, actionable security documentation for internal engineering audiencesPartner closely with product and engineering teams across Nodes, AI Core, Cloud, and other areas to ensure security considerations are built in earlyWhat Success Looks LikeEstablished a predictable, trusted vulnerability intake and triage processReduced mean time to remediation for high and critical security issuesIntegrated security tooling into CI/CD with minimal friction for engineersSuccessfully led at least one coordinated disclosure or security incident end-to-endBuilt strong relationships with engineering teams as a pragmatic, enabling security partnerRequirements Must-haves5+ years of experience in product security, application security, or a closely related role (or equivalent demonstrated impact)Hands-on experience with vulnerability management and disclosure workflowsStrong understanding of common web application vulnerabilities (e.g., OWASP Top 10)Experience implementing and operating security tooling (SAST, DAST, dependency and container scanning)Familiarity with coordinated vulnerability disclosure and security advisoriesProven ability to write clear security documentation and communicate with both technical and non-technical audiencesExperience engaging with security researchers or bug bounty programsNice-to-havesExperience securing SaaS platforms in cloud-native environmentsFamiliarity with JavaScript/TypeScript and the Node.js ecosystemExperience working in high-growth or open-source-adjacent companiesKnowledge of DevSecOps practices and CI/CD security integrationExperience with threat modeling methodologiesRelevant security certifications (e.g., OSCP, CISSP, CEH)Working Style & PhilosophyYou prioritize pragmatic risk reduction over rigid controlsYou see security as an enabler of product velocity, not a gatekeeperYou are comfortable making trade-offs and focusing on the highest-impact risksYou thrive in environments with ambiguity and ownershipBenefitsCompetitive compensation – We offer fair and attractive pay.Ownership – Our core value is to “empower others,” and we mean it—you’ll get a slice of n8n with equity.Work/life balance – We work hard but ensure you have time to recharge: Europe: 30 days of vacation, plus public holidays wherever you are. US: 15 vacation days, 8 sick days, plus public holidays wherever you are.Health & wellness – Europe: benefits according to local country norms. US: medical, dental, vision plans with various options.Future planning – Europe: pension contributions; US: 401(k) with employer match.Financial security – Europe: benefits per local norms; US: disability and life insurance.Career growth – €1K per year for courses, books, events, or coaching.A passionate team – regular hackathons and open-source spirit.Remote-first – Remote across Europe; some roles in the US are hybrid.Giving back – $100 per month to support projects you care about.AI enablement – Unlimited AI budget for productivity and creativity.Transparency – Visibility into what everyone is working on and company health.An ambitious but kind culture – eNPS 94 in 2024.Country-specific details are provided in your contract.n8n is an equal opportunity employer and does not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, gender identity, age, marital status, veteran status, or disability status. We can sponsor visas to Germany; for any other country, you need to have existing right to work. Our company language is English. Diversity, Inclusion and Belonging initiatives at n8n: Diversity-inclusion-and-belonging-n8n-c1bec2fff d868b1a438d990e35. Location disclaimer: If you see multiple job postings for the same role, apply to the location you’re most likely to work from.#J-18808-Ljbffr