Vercel Logo

Vercel

Senior Security Software Engineer, v0

Posted 15 Minutes Ago
Be an Early Applicant
Easy Apply
Hybrid
San Francisco, CA, USA
208K-312K Annually
Senior level
Easy Apply
Hybrid
San Francisco, CA, USA
208K-312K Annually
Senior level
Embedded senior security engineer owning end-to-end security for v0: proactively find and fix vulnerabilities, build security features (sandboxing, isolation, permission boundaries), review launches, manage HackerOne reports, refine threat models, harden code execution, and respond to v0-specific incidents while shipping product features alongside the team.
The summary above was generated by AI
About Vercel:

Vercel is the agentic infrastructure company. We free people and agents to ship what’s next.

For more than a decade, Vercel has shaped how the web is built. As the team behind Next.js, v0, and AI SDK, we create products that help builders move from idea to production with speed, security, and exceptional developer experience.

Now, software is entering a new era, and the next generation of products will not just be used by people. They will be built, extended, and operated by agents.

We are building the platform for that future, trusted by companies like OpenAI, PayPal, Ramp, Supreme, and millions of developers worldwide. Whether you’re building our products, supporting our customers, growing our community, or shaping our story, you’ll help define what comes next.

About the role

v0 turns natural language into working, deployed applications. An agent writes code, executes it, and ships it on a user's behalf. That makes v0 one of the most interesting and highest-stakes security surfaces at Vercel: sandboxed code execution, multi-tenant isolation, permission boundaries between what a user asked for and what the agent actually did, and resistance to prompt injection and tool misuse.

We're looking for a Senior (IC4) software engineer with a strong security background to sit fully embedded inside the v0 team, not as a rotating auditor who reviews designs and files tickets, but as a peer engineer who owns security end to end for everything v0 ships. That means finding and fixing vulnerabilities yourself, building security features directly into the product, reviewing every new feature and launch before it goes out, and running the relationship with our HackerOne researcher community for anything v0-related. You'll spend real time being a great generalist engineer: building features, fixing bugs, shipping to production alongside the rest of the team. The difference is that you bring security judgment and hands-on ownership to everything the team builds, and you're the one who catches the sandbox escape, the auth gap, or the injection vector before it ships, rather than after.

This role reports into the security organization but is deployed full-time with v0, and is evaluated as much on shipped product velocity as on security outcomes. As a senior (IC4) engineer, you're expected to operate independently, set the security bar for the team, and be trusted to make the final call on v0-specific tradeoffs.

What you will do
  • Find and fix issues yourself: Proactively hunt for vulnerabilities across v0, from code you're reviewing to systems you're actively poking at, and ship the fix, not just the finding.
  • Build security features directly into the product: Design and implement the security-facing functionality itself (sandboxing/isolation controls, permission boundaries, abuse detection, safe defaults for generated apps) as a normal part of the v0 roadmap, not a side project.
  • Review all new v0 features and launches: Be the security reviewer of record for everything the team ships (new capabilities, generated-app patterns, integrations) before it goes out the door.
  • Own the HackerOne relationship for v0: Triage, validate, and drive fixes for reports from Vercel's HackerOne researcher community that touch v0, and work directly with researchers on reproduction and remediation.
  • Own the v0 threat model: Understand and continuously refine how v0 generates, executes, and deploys code, including sandbox/runtime isolation, permission boundaries between agent actions and user intent, and defenses against prompt injection and tool-use abuse.
  • Harden code execution boundaries: Work directly on how agent-generated code is scoped, sandboxed, and constrained before it touches real infrastructure, including Vercel's own sandbox and serverless runtimes.
  • Build guardrails that don't slow the team down: Create patterns, libraries, and checks that let v0 engineers ship new generated-app capabilities quickly without reintroducing known bug classes (auth, SSRF, injection) each time.
  • Partner with central Product Security: Share threat models, incident learnings, and SDLC tooling with the broader security team, while making the final call on v0-specific tradeoffs since you have the deepest context on the product.
  • Respond to v0-specific security reports and incidents: Be the first responder and technical owner when a security issue is reported against v0 specifically.
  • Think like an attacker, and like an agent: Reason about how a user, or an agent acting on that user's behalf, could misuse v0 to attack itself, other tenants, or the platform underneath it.
About you
  • You're a software engineer first: 5+ years building and shipping production web applications, at a level where you operate independently (IC4/Senior). You can pick up a normal feature ticket and ship it end to end, this is not a pure audit/review role.
  • Strong full-stack fundamentals: Comfortable in TypeScript, React, and Node, and able to work in the same codebase, PR flow, and velocity as the rest of the v0 team.
  • Real security judgment: You understand authN/authZ design, sandboxing and isolation, injection vulnerability classes, and can reason about "an AI agent writing and running code" as a novel attack surface, even if your background so far has been primarily software engineering rather than a security title.
  • You influence through code, not just process: You'd rather fix the root cause in a PR than write a policy doc about it. You can be the security conscience of a fast-moving team without becoming its bottleneck.
  • Comfortable with ambiguity: v0's threat model is still being written. You're excited to define it rather than inherit a mature playbook.
  • Willing to build with v0, not just secure it: You're happy to actually go use v0 to build things and understand how our products work end to end, not just read the code from the outside.
Bonus if you have
  • Already a v0 user or familiar with how it and Vercel's broader product line work.
  • Hands-on experience with sandboxing, container isolation, or multi-tenant systems.
  • Done prompt injection / jailbreak / LLM application security research on an agentic or AI-powered product.
  • Previously shipped a coding agent, dev tool, or code-generation product end to end.
  • Relevant security certifications (OSCP, OSWE) or notable bug bounty / CTF history. Nice to have, not required for this role.
  • Enjoy building content and talking publicly about your work: blog posts, conference talks, or research writeups. We'd love for this role to help tell the story of how v0 approaches security, not just do the work quietly.
Benefits:
  • Competitive compensation package, including equity.
  • Inclusive Healthcare Package.
  • Learn and Grow - we provide mentorship and send you to events that help you build your network and skills.
  • Flexible Time Off.
  • We will provide you the gear you need to do your role, and a WFH budget for you to outfit your space as needed.

The San Francisco, CA base pay range for this role is $208,000.00 - $312,000.00. Actual salary will be based on job-related skills, experience, and location. Compensation outside of San Francisco may be adjusted based on employee location. The total compensation package may include benefits, equity-based compensation, and eligibility for a company bonus or variable pay program depending on the role. Your recruiter can share more details during the hiring process. 

Vercel is committed to fostering and empowering an inclusive community within our organization. We do not discriminate on the basis of race, religion, color, gender expression or identity, sexual orientation, national origin, citizenship, age, marital status, veteran status, disability status, or any other characteristic protected by law. Vercel encourages everyone to apply for our available positions, even if they don't necessarily check every box on the job description.


HQ

Vercel San Francisco, California, USA Office

San Francisco, California 94133, UaS, San Francisco, CA, United States, 94133

Similar Jobs at Vercel

15 Minutes Ago
Easy Apply
Hybrid
San Francisco, CA, USA
Easy Apply
208K-312K Annually
Mid level
208K-312K Annually
Mid level
Artificial Intelligence • Cloud • Software
Perform deep security assessments of open source framework internals (routing, middleware, caching, build tooling), find and fix systemic vulnerability classes, own disclosure/CVE processes, triage and run OSS bug bounty reports, build preventive tooling (linters, codemods, CI), and harden supply chain practices for Vercel-maintained projects.
Top Skills: CiCodemodsJavaScriptLintersNext.JsNitroNode.jsNuxtSigstoreSlsaSvelteSveltekitSwrTurborepoTypescriptWorkflow
20 Hours Ago
Easy Apply
Hybrid
San Francisco, CA, USA
Easy Apply
208K-312K Annually
Senior level
208K-312K Annually
Senior level
Artificial Intelligence • Cloud • Software
Build core primitives and runtime for Eve, Vercel's framework for production AI agents. Implement filesystem conventions, compiler, integrations (chat channels, connectors), developer tooling, observability/evaluation, and collaborate with platform teams and customers to improve agent reliability and DX.
Top Skills: Ai SdkAPIsCliCronJavaScriptLlm ApisMcpNext.JsSandboxSlackTypescriptVercel ConnectVercel WorkflowsWeb ChatWhatsapp
Yesterday
Easy Apply
Remote or Hybrid
United States
Easy Apply
208K-312K Annually
Senior level
208K-312K Annually
Senior level
Artificial Intelligence • Cloud • Software
Design high-visibility web surfaces (vercel.com, nextjs.org, product launches, Ship) and brand moments across web, motion, 3D, illustration, and events. Own end-to-end creative vision, set typographic and motion craft standards, design reusable systems and patterns, and collaborate closely with design engineers to ship polished production work.

What you need to know about the San Francisco Tech Scene

San Francisco and the surrounding Bay Area attracts more startup funding than any other region in the world. Home to Stanford University and UC Berkeley, leading VC firms and several of the world’s most valuable companies, the Bay Area is the place to go for anyone looking to make it big in the tech industry. That said, San Francisco has a lot to offer beyond technology thanks to a thriving art and music scene, excellent food and a short drive to several of the country’s most beautiful recreational areas.

Key Facts About San Francisco Tech

  • Number of Tech Workers: 365,500; 13.9% of overall workforce (2024 CompTIA survey)
  • Major Tech Employers: Google, Apple, Salesforce, Meta
  • Key Industries: Artificial intelligence, cloud computing, fintech, consumer technology, software
  • Funding Landscape: $50.5 billion in venture capital funding in 2024 (Pitchbook)
  • Notable Investors: Sequoia Capital, Andreessen Horowitz, Bessemer Venture Partners, Greylock Partners, Khosla Ventures, Kleiner Perkins
  • Research Centers and Universities: Stanford University; University of California, Berkeley; University of San Francisco; Santa Clara University; Ames Research Center; Center for AI Safety; California Institute for Regenerative Medicine

Sign up now Access later

Create Free Account

Please log in or sign up to report this job.

Create Free Account