Full-timeInformation Systems and Security

Hashgraph

Product Security Engineer

Remote within EU/APAC

Posted

19d ago

Type

Full-time

Location

Remote within EU/APAC

Job Overview

About Hashgraph: Hashgraph is a fast-growing software company committed to supporting, developing and servicing Hedera, an open source, proof-of-stake platform. Hedera is EVM-compatible and has been specifically built to meet the needs of enterprise and web3 applications, which require speed, security, stability and sustainability. Hedera’s public network is governed by industry-leading organizations, spanning 11 sectors and 14 regions who oversee the development and direction of the decentralized platform. The role: We are hiring a Product Security Engineer to embed security into the product development lifecycle and ensure vulnerabilities are found by us before they are found by others. Hedera is an enterprise-grade distributed ledger securing billions of transactions for global developer and institutions. As the platform grows with new protocol upgrades, EVM-compatible services, cross-chain infrastructure, and cryptographic primitives, the attack surface grows with it. This role exists to ensure that security is a first-class property of every protocol upgrade, smart contract, and node shipped to production. In this role, you will: • Conduct end-to-end security assessments of blockchain-based systems, from cryptographic primitive design and protocol architecture through smart contract implementation and deployed infrastructure. • Find real vulnerabilities through hands-on review, adversarial testing, and proof-of-concept exploit development, not just automated scanning. • Design adversarial test cases and proof-of-concept exploits for Hedera-native services, EVM-compatible contracts, cross-chain bridges, and consensus-layer components. • Own threat modeling and security architecture reviews across product phases. • Define and enforce security gates before new components reach production. • Partner directly with engineering teams to translate cryptographic and protocol-level risks into concrete, prioritized remediation work. • Build and improve security tooling, fuzzing infrastructure, and CI/CD security automation to scale security coverage without scaling headcount. • Track emerging blockchain and web3 attack patterns, map them to the internal codebase, and drive proactive mitigation before threats materialize. What success looks like in 6-12 months: • Security review processes are integrated across major product development workflows, not bolted on at the end. • Security tooling and automated checks are running inside CI/CD pipelines, reducing manual review burden. • The vulnerability backlog is prioritized and actively shrinking through structured developer collaboration. • Engineering teams have meaningfully improved their working knowledge of web3 attack patterns and secure coding practices. What you bring: Core capabilities: • Hands-on vulnerability discovery and security testing across blockchain protocols, smart contracts, nodes, and APIs. • A track record of catching real bugs, not just running automated scans. • Strong threat modeling and security architecture review experience applied to distributed cryptographic systems. • Experience assessing cross-chain protocols, threshold signature schemes, or other cryptographic systems with complex trust assumptions. • Deep working knowledge of applied cryptography, including BLS signatures, pairing-based schemes, polynomial commitments, and Fiat-Shamir constructions. • Ability to reason about cryptographic failure modes and how they show up in production systems. • Direct experience auditing or breaking a cross-chain bridge. • Ability to reason through trust model tradeoffs, including state proof, multisig, and oracle attestation models, and what each means for the attack surface. Functional expertise: • Blockchain security and secure coding practices across EVM-compatible and non-EVM chains. • Security testing tooling, including static analysis, dynamic analysis, and fuzzing. • Experience developing custom fuzzing harnesses or security test infrastructure. • Ability to read and audit Rust and/or Java cryptographic code. • Understanding of memory safety, constant-time correctness, secret handling, and security risks at JNI boundaries. Nice to haves: • Experience designing and operating grammar-aware fuzzing campaigns against gRPC, JSON-RPC, or protocol-level endpoints. • Experience building classifier pipelines to distinguish security signal from noise. • Prior work on Ethereum consensus client security. • Prior work on production threshold signature systems. • Experience building security automation tooling. • Experience integrating AI-assisted workflows into security review and triage processes.

Core Requirements

Information Systems and Security