Senior Web Security Engineer, Browser Platform at DuckDuckGo

This role is built for a senior-level security professional with 7+ years of experience who is deeply entrenched in the world of browser internals and web vulne

Work type: remote

Location: Remote

Salary: $178,500/yr

Type: Full-time

Summary

This role is built for a senior-level security professional with 7+ years of experience who is deeply entrenched in the world of browser internals and web vulnerabilities. The ideal candidate isn't just a generalist; they have a "breaker" mindset with advanced JavaScript skills and a granular understanding of WebView technologies (WebKit, Chromium). You’ll thrive here if you enjoy performing deep-dive architectural audits and implementing company-wide mitigations to prevent XSS and other injection attacks. What makes this position stand out is the high level of ownership and DuckDuckGo’s transparent, flat compensation model. Earning a fixed $178,500 regardless of your location offers rare geographical freedom. As a remote-first team, they prioritize a culture of trust and "end-to-end" project management, meaning you’ll have the autonomy to shape security standards across a platform used by millions. **You might be a good fit if you:** * Can bypass complex security models (SOP, CSP, CORS) and then write the code to fix the loophole. * Have professional experience with mobile or desktop WebView integrations (WebView2, WebKit). * Enjoy collaborating directly with product engineers to bake security into the development lifecycle. * Prefer working in a high-trust, autonomous environment without "core hours."

Job Description

# Who We Are

Hi, we're DuckDuckGo, the online protection company and remote-first team of 300+ on a mission to raise the standard of trust online. Founded in 2008 and profitable since 2014, annual revenue now exceeds $100m USD and millions use our browser on [Mac](https://spreadprivacy.com/introducing-duckduckgo-for-mac/), [Windows](https://spreadprivacy.com/windows-browser-open-beta/), [iOS](https://spreadprivacy.com/duckduckgo-privacy-browser-ios14/), and [Android](https://spreadprivacy.com/introducing-app-tracking-protection/), our [search engine](https://duckduckgo.com/), and the [DuckDuckGo subscription](https://duckduckgo.com/pro). Our [culture](https://duckduckgo.com/how-we-work) of trust, inclusivity, and empowered project management underpins everything we do, where each team member takes full ownership of their projects, from scoping and execution to postmortem. If you're seeking end-to-end ownership of your work — you've come to the right place!

# Your Team and Role

Working on the Security Functional Team, you'll play a pivotal role in ensuring our security capabilities keep pace with our rapid product development, directly protecting our users across all our products. You'll also maintain incident detection and response capabilities for the company, and work on general security related projects. Recent projects include:

• Browser security audits

• SERP security mitigations

# About You

• 7+ years of experience in web or application security (performing security assessments, vulnerability research, penetration testing, or secure code review)

• Advanced programming or scripting experience with JavaScript. Any additional experience with our stack is a bonus: Swift/Kotlin/C#/JavaScript (native apps) or JavaScript/Perl/Go (search).

• Experience with at least one WebView technology (WebKit, WebView2, Chromium WebView, etc.) and understanding of browser security models (SOP, CSP, CORS, SameSite cookies)

• Hands-on experience identifying and exploiting web vulnerabilities (XSS, CSRF, injection attacks, authorization flaws, etc.)

• Familiarity with security testing tools and frameworks

• Experience partnering and collaborating with Product Engineers, advising on security matters and helping teams ship secure code faster

• Experience shaping how an organisation thinks about security - driving best practices, improving processes, and raising the bar across teams

$178,500USD annually and stock options. Compensation is [identical within professional levels](https://duckduckgo.com/how-we-work), regardless of geographic location or team. Compensation for each professional level is transparent across the organization.

Our[ Team Member Support Guide](https://duckduckgo.com/assets/hiring/team_support_guide.pdf) explains how we prioritize your wellbeing including paid parental leave, office setup,and co-working allowances.

# Hiring Process

Hiring works best when it's a two-way street. Learn how we help you get to know DuckDuckGo, envision your future role here, and find out more about [how we hire](https://duckduckgo.com/how-we-hire).

# Diversity, Equity and Inclusion

DuckDuckGo provides equal work opportunities to all team members and applicants, and it prohibits discrimination and harassment of any type on the basis of race, color, ethnicity, caste, religion, age, sex (including pregnancy), national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by our policies or federal, state, or local laws.

We want to ensure that our hiring process is accessible. If you need reasonable accommodation for any part of the application process because of a medical condition or disability, please send an email to [careers@duckduckgo.com](mailto:careers@duckduckgo.com) to let us know the nature of your request.

# Please note that:

• You’ll be required to attend meetings on camera via video conferencing

• Expect to travel at least two times a year: once for our all-hands meetup and again for a team retreat (each around 4-5 days). While extenuating circumstances may impact attendance, everyone is strongly encouraged to attend.

• While we offer a flexible work arrangement with no core hours, expect an average full-time commitment of 40 hours per week.

• A successful candidate must pass a background check as a condition of joining the team.

• By applying for this role, you confirm that all information submitted is accurate and complete. You further acknowledge that providing false or fraudulent information during the application process is cause for denial of an offer, revocation of any existing offer, or other adverse action, up to and including termination after the start of your commencement of work.

As part of our commitment to enhancing our recruitment process, we utilize artificial intelligence (AI) technology to assist in reviewing and summarizing job applications and test projects, including those tools integrated into our recruitment vendor platforms. We use AI to flag potentially fraudulent applications, analyze and summarize applicants’ experience, interviews, and project performance, and help streamline our selection process.

Key Principles:

• Data Privacy: All information provided in your application will be handled in accordance with our [Recruiting Privacy Policy](https://duckduckgo.com/static-assets/files/pages/careers/DuckDuckGo-Recruiting-Privacy-Policy-effective-September-30-2025.pdf). We ensure that your personal information is protected and used solely for recruitment purposes.

• Human Oversight and Accountability: The AI technology is designed to support our hiring team by providing insights and summaries of applications and evaluations of test projects against scoring rubrics. All final evaluations and hiring decisions, however, will be made by our hiring team, who will consider the AI's input alongside other factors.

• Transparency: We believe in transparency regarding our hiring practices. If you have any questions about how AI is used in our recruitment process, please feel free to reach out to us.

#LI-DNI

View this job on nocollar jobs