Security Analyst, Security Lab (Advisory Curation)

The GitHub CVE program complements the GitHub Advisory Database. It allows open source maintainers to easily publish advisories and associate them with CVEs, which are the industry standard for vulnerability identifiers. A successful candidate will learn and enforce the CVE rules and apply them to GitHub Security Advisories as appropriate. Daily technical writing is required in this role.

Primary Responsibilities:

You will be charged with maintaining the completeness and correctness of the data within the Advisory Database and assigning CVEs to open source maintainers. As part of this role, you will:

• Review CVE requests to ensure they conform to the CVE systems rules, assign CVE IDs and ultimately publish CVEs to MITRE
• Review, curate and publish security advisories, including their descriptions, affected product data, severity, and more using our curation tooling
• Find ways to grow the breadth, depth, and influence of GitHub AdvisoryDB, including:
• Finding new vulnerability sources for advisory information
• Expanding the amount and type of data that is curated
• Reducing the time between first public disclosure and the database's advisory publication and alerting
• Working with stakeholders, both internal and external, to help them make the best use of the dataset
• Writing blog posts, giving talks, participating in industry standards working groups, and other kinds of public outreach
• Collaborate with security researchers and influence their research with data you are collecting
• Engage with the open source community to amplify vulnerability research, reporting and disclosure best practices, and work to improve the overall open source ecosystem
• Work as part of a remote and geographically diverse team

Minimum Qualifications:

• 1+ years of technical writing experience
• Working knowledge and an understanding of common software vulnerabilities and knowledge of secure code principles, including common versioning schemes
• 2+ years of experience in one or more modern programming languages and its associated package registry defined by ecosystems supported by the database, such as:
  • JavaScript and npm
  • Java and Maven Central
  • Python and Python Packaging Index
  • PHP and Composer
  • Erlang/Elixir and Hex
  • GitHub Actions
  • Go and pkg.go.dev
  • C#/.NET and NuGet
  • Dart and Pub.dev
  • Ruby and RubyGems
  • Rust and crates.io

  Preferred Qualifications:

  • Familiarity with git and other version control software
  • Strong understanding of open source software development and packaged software 
  • Experience in the field of information security, system administration, or open source software maintenance
  • Familiarity with vulnerability analysis, vulnerability trends, and using common vulnerability metrics (CVSS, CWE)
  • Strong written and verbal communication skills in English 
  • Familiarity with evaluating risk, impact, and severity of a vulnerability
  • Familiarity with the CVE Program and how CVEs are used
  • Experience performing code reviews
  • Prior research experience
  • Previous experience using open source software and strong interest in open source security
  • Previous experience in the software security domain is a big plus, though other relevant experience will be considered as well
  • Ability to work in a team, empathy for others when they need help, and accountability when they rely on you

  You may be a good fit if:

  • You are passionate about helping every developer - regardless of experience level - learn, code, and ship software securely.
  • You are self motivated, highly organized, and seeking a high performance culture.
  • Your decisions are quick, calculated, and based in fact or backed by research.
  • You have a desire for ongoing learning and development.
  • You enjoy organizing and searching for information.
  • You have the confidence to respond to a problem with "I don't know, but I will find out!" and the knowledge and research mindset to learn.
  • You have worked either within or with engineers in the security/product security space.

  Minimum salary of $75,000 to maximum $198,900.

  In addition, certain roles also have the opportunity to earn sales incentives based on revenue or utilization, depending on the terms of the plan and the employee's role.

  These pay ranges are intended to cover roles based across the United States. An individual's base pay depends on various factors including geographical location and review of experience, knowledge, skills, abilities of the applicant. At GitHub certain roles are eligible for benefits and additional rewards, including annual bonus and stock. These rewards are allocated based on individual impact in role.

  Location: In this role, you can work remotely from anywhere in the United States. 

  #LI-Remote 

  Who We Are:

  As the global home for all developers, GitHub is the complete AI-powered developer platform to build, scale, and deliver secure software. Over 100 million people, including developers from 90 of the Fortune 100 companies, use GitHub to build amazing things together across 330+ million repositories. With all the collaborative features of GitHub, it has never been easier for individuals and teams to write faster, better code.

  Leadership Principles:

  Customer Obsessed - Trust by Default - Ship to Learn - Own the Outcome - Growth Mindset - Global Product, Global Team - Anything is Possible - Practice Kindness

  Why You Should Join:

  At GitHub, we constantly strive to create an environment that allows our employees (Hubbers) to do the best work of their lives. We've designed one of the coolest workspaces in San Francisco (HQ), where many Hubbers work, snack, and create daily. The rest of our Hubbers work remotely around the globe. Check out an updated list of where we can hire here: https://github.com/about/careers/remote

  We are also committed to keeping Hubbers healthy, motivated, focused and creative. We've designed our top-notch benefits program with these goals in mind. In a nutshell, we've built a place where we truly love working, we think you will too.

  GitHub is made up of people from a wide variety of backgrounds and lifestyles. We embrace diversity and invite applications from people of all walks of life. We don't discriminate against employees or applicants based on gender identity or expression, sexual orientation, race, religion, age, national origin, citizenship, disability, pregnancy status, veteran status, or any other differences. Also, if you have a disability, please let us know if there's any way we can make the interview process better for you; we're happy to accommodate!

  Please note that benefits vary by country. If you have any questions, please don't hesitate to ask your Talent Partner.