Application Security Engineer

## About Polymarket Polymarket is the world's largest prediction market platform. We enable individuals to express views on real-world events by trading on outcomes across politics, economics, sports, culture, and current affairs. Built as a peer-to-peer marketplace with no centralized "house," Polymarket aggregates diverse opinions into transparent, market-based probabilities that reflect collective expectations about the future. We're growing fast — both in terms of volume ($21B traded in 2025) and adoption as an alternative news source. Our ambition is to become a ubiquitous beacon of truth in global media and we need your help adding fuel to the fire.

## What You'll Do - Own the application security program across the SDLC — from design review through deployment — ensuring security is addressed early and consistently - Conduct threat modeling on new features and architectural changes; perform security design reviews and code reviews on high-risk changes with specific, actionable findings - Own the SAST, DAST, and SCA toolchain — selection, deployment, tuning, and CI/CD integration so findings surface at commit time, not post-deployment - Triage and prioritize automated scanner output, delivering a risk-ranked backlog rather than raw tool output to engineering teams - Conduct manual penetration testing and security assessments of web applications, APIs, and internal services — with particular focus on authentication, authorization, and financial transaction flows - Manage the external penetration testing program and own the bug bounty program end-to-end: triage, severity calibration, researcher communication, and payout coordination - Track and drive remediation of application-layer vulnerabilities across the product portfolio; monitor CVEs and escalate exploitable issues requiring immediate action - Develop and maintain secure coding guidelines and developer-facing security education tailored to the team's stack and threat model

## What We're Looking For - 3+ years of hands-on application security experience — penetration testing, secure code review, or a dedicated AppSec engineering role - Strong proficiency identifying and exploiting OWASP Top 10 vulnerabilities; experience assessing modern web applications and API architectures - Experience deploying and operating SAST, DAST, and SCA tooling (Semgrep, Snyk, Burp Suite, or equivalent) - Ability to read and write code in at least one common backend language (Python, Go, TypeScript, or similar) to conduct meaningful code review - Experience conducting or managing penetration tests against web applications and REST/GraphQL APIs - Solid understanding of authentication and authorization patterns: OAuth 2.0, JWT, session management, RBAC, and common weaknesses in each - Clear written communication — able to write findings that developers actually read and act on - (Plus) Experience with a bug bounty platform (HackerOne, Bugcrowd, or equivalent) as an operator - (Plus) Familiarity with smart contract security, blockchain transaction flows, or Web3 threat models - (Plus) Experience securing financial transaction systems — payment flows, fraud vectors, double-spend risks - (Plus) Security certifications: OSCP, GWAPT, GWEB, or equivalent - (Plus) Exposure to AWS application-layer security services: WAF, API Gateway, Cognito, Shield - (Plus) Prior experience building or scaling a security champions program inside an engineering organization

## Benefits - Competitive salary & equity - Unlimited PTO - Full Health, Vision, & Dental coverage - 401k match - Hardware setup: new MacBook Pro, big display, & accessories

Polymarket is the world's largest prediction market platform where users trade on the outcomes of real-world events such as politics, sports, economics, and more, using USDC cryptocurrency on the Polygon blockchain. It provides real-time odds reflecting news, polls, and events, and operates globally with a US-regulated entity.