Product Security Engineer

About Hashgraph:

Hashgraph is a fast-growing software company committed to supporting, developing and servicing Hedera, an open source, proof-of-stake platform. Hedera is EVM-compatible and has been specifically built to meet the needs of enterprise and Web3 applications, which require speed, security, stability and sustainability. Hedera’s public network is governed by industry-leading organizations, spanning 11 sectors and 14 regions who oversee the development and direction of the decentralized platform.

You may find yourself doing all of the following:

• Conduct comprehensive product security assessments of blockchain-based systems, with a strong focus on Web3 security, smart contracts, and protocol-level risks

• Design and write malicious smart contracts and adversarial test cases to exploit and identify vulnerabilities in Hedera Blockchain and EVM-compatible systems

• Develop, implement, and continuously improve security strategies, architectures, and best practices for Hedera blockchain protocols, smart contracts, bridges, and associated services

• Partner closely with engineering teams to embed security into design, development, and deployment workflows

• Design and execute penetration testing, threat modeling, and vulnerability assessments across blockchain networks, nodes, APIs, and supporting infrastructure

• Identify, track, and stay ahead of emerging blockchain and Web3 threats, exploits, and attack patterns; provide actionable mitigation guidance

• Build and contribute to security tooling, frameworks, and automation tailored for blockchain environments, including CI/CD integrations

• Leverage AI/LLMs and automation to enhance product security reviews, vulnerability discovery, threat modeling, and security testing workflows

• Assist in incident response and post-incident analysis related to blockchain security events, including root cause analysis and remediation guidance

• Educate engineers and internal stakeholders on blockchain security principles, secure coding practices, and real-world attack scenarios

• Participate in and contribute to security awareness and secure development training programs across the organization

Qualification Requirements:

• Must be available to work within the EU time zones

• Bachelor’s or Master’s degree in Computer Science, Information Security, Cryptography, Blockchain, or a related field (or equivalent practical experience)

• 8+ years of experience in product security, application security, or penetration testing, including 2+ years focused on blockchain security, smart contract auditing, or Web3 security

• Solid understanding of EVM internals, smart contract execution, and common Web3 architectures; knowledge of Hedera Blockchain is a strong plus

• Deep knowledge of Web3 technologies and protocols, such as Ethereum, gossip-based networks, IPFS, and related decentralized systems

• Proven experience with blockchain-specific security assessment tools, methodologies, and manual testing techniques

• Strong understanding of blockchain attack vectors and vulnerability classes, including gas fees, authorization control flaws, fungible and non-fungible tokens issues, and bridge exploits

• Working knowledge of cryptographic principles and protocols relevant to blockchain systems (hashing, signatures, key management, consensus assumptions)

• Hands-on experience with static analysis, dynamic analysis, fuzzing, and custom security testing tools

• Strong understanding of secure coding practices, particularly in Java and Rust

• Excellent analytical, problem-solving, and communication skills, with the ability to collaborate effectively across engineering and product teams

Other skills that are great to bring with you but that we can help you develop:

• Industry-recognized security certifications such as OSCP, OSEP, OSWA, OSWE; blockchain security certifications are a plus

• Experience in bug bounty programs, security research, CVE publications, red teaming, or attack surface management

• Experience securing or operating systems in cloud environments (AWS, GCP, Azure), including IAM and key management

• Proficiency in scripting and general-purpose programming languages such as Python, Bash, or PowerShell for tooling and automation

• Experience with containerization and orchestration technologies (Docker, Kubernetes) and their associated security best practices

• Familiarity with DevSecOps pipelines, CI/CD security controls, and infrastructure-as-code security