Key skills
Security engineeringPSIRT (Product Security Incident Response Team)Coordinated Vulnerability Disclosure (CVD)CVE Numbering Authority (CNA) operationsFIRST PSIRT Services Framework v1.1ISO/IEC 29147ISO/IEC 30111CISA Binding Operational Directive 20-01Embedded/Firmware SecurityLinux/Android Device SecurityAWS Cloud Security IAMAWS Cloud Security EKSAWS Cloud Security federationAWS Cloud Security secrets managementMobile/Web App Security OWASP Top 10Mobile/Web App Security GraphQLMobile/Web App Security authenticationMobile/Web App Security authorizationMachine Learning/Computer Vision Model SecurityCVSS v3.1 and v4.0CWE classificationEPSSSSVCCJIS certificationMLAWSAndroidLeadershipCloud Security
About this role
Flock is dedicated to building technology that enhances community safety and privacy. As a Staff Security Engineer, PSIRT Lead, you will manage Flock's Security Incident Response Team, overseeing vulnerability management and coordinating cross-functional teams to ensure product security. This role requires strong technical expertise and leadership skills to drive security initiatives and metrics across the organization.
Responsibilities:
- Stand up and run Flock's Security Incident Response Team (PSIRT) as the single point of accountability for every externally-reported and internally-discovered vulnerability that touches a Flock product
- Coordinate with teams about fixes and with security counterparts for security validation
- Be the operational owner of our newly established CNA and the technical owner of our Coordinated Vulnerability Disclosure (CVD) program
- Drive fixes to closure across Hardware, Firmware, Device SRE, Cloud SRE, Mobile, ML, Legal, Comms, and Customer Support
- Lead by influence across engineering, legal, communications, and support, setting the SLAs, the metrics, the playbooks, and the public security advisories that the rest of the company executes against
- Partner closely with our Detection & Response team and Corporate Security, focusing on reducing risk for devices in the field and the customers who depend on them
- Assess the existing security and incident response landscape across our product and infrastructure ecosystem in the first 30 days
- Establish relationships with key cross-functional stakeholders to define a collaborative incident response matrix
- Draft a baseline Security Incident Response Team (PSIRT) operating model including intake channels, triage SLAs, severity rubrics, and disclosure policies for leadership review
- Complete onboarding with relevant vulnerability management authorities and validate the end-to-end workflow by successfully processing an initial identifier assignment in the first 60 days
- Establish central tracking workflows and documentation templates to streamline and automate the logging, remediation, and reporting of security findings
- Manage response operations against established SLAs, tracking key metrics like time-to-triage, time-to-fix, and time-to-disclose, and deliver regular performance updates to leadership
- Execute coordinated public security advisories when necessary, ensuring patches, customer communications, and public disclosures are seamlessly synchronized
Requirements:
- 7+ years in security engineering with at least 4 years directly running or leading a PSIRT, product security, or coordinated vulnerability disclosure function
- Experience at a company that ships connected hardware (LPR/IP cameras, ICS/OT, automotive, medical, or networking gear) is highly preferred
- Demonstrated end-to-end ownership of the FIRST PSIRT Services Framework v1.1 service areas (Stakeholder Ecosystem, Discovery, Triage, Remediation, Disclosure)
- Hands-on operational experience acting as a CVE Numbering Authority (CNA) or leading the technical onboarding of one
- Deep knowledge of CNA Operational Rules v4.x, CVE scope definition, and root coordination (CISA ICS-CERT, MITRE)
- Deep familiarity with ISO/IEC 29147 (disclosure), ISO/IEC 30111 (handling), the CERT/CC Guide to CVD, and CISA Binding Operational Directive 20-01
- Strong technical understanding across product security, with deep operational experience in at least three of the following (areas 1 and 2 are highly prioritized): Embedded/Firmware Security, Linux/Android Device Security, Cloud Security on AWS, Mobile/Web App Security, ML/CV Model Security
- Fluent with CVSS v3.1/v4.0, CWE classification, EPSS, and SSVC frameworks
- Exceptional written skills
- Ability to obtain and maintain CJIS certification as a condition of employment