Sr. Vulnerability Researcher

The Software Engineering Institute (SEI) at Carnegie Mellon University is a Federally Funded Research and Development Center (FFRDC) focused on advancing software engineering, cybersecurity, and process improvement. The SEI works closely with defense and government organizations, industry, and academia to continually improve software-intensive systems. Our core purpose is to help organizations improve software engineering capabilities and develop or acquire the right software, defect free, within budget and on time, every time. 
 
The SEI CERT Division is seeking applicants for the Senior Vulnerability Researcher role. The Vulnerability Analysis Team, within the Threat Analysis Directorate, is an elite team of National Security dedicated personnel that work to reduce the societal harm from vulnerable information processing systems and related processes. The Vulnerability Analysis Team has three core functions:  1) research and development (R&D) of systemic software vulnerabilities and Coordinated Vulnerability Disclosure (CVD) processes; 2) vulnerability response and management to mitigate priority vulnerabilities; and 3) vulnerability community outreach and engagement to influence software policies and standards.

As a Senior Vulnerability Researcher you will have opportunity to advance the start-of-the-art in software and system vulnerability research and advance the CVD operations in a national and global scale. You’ll also collaborate with network defenders, developers, security researchers, and policymakers, and share findings through advisories, papers, and tools. You will have the opportunity to influence upcoming technology trends leading to more secure and sustainable systems.
 
What you will do: 

• Develop state of the art approaches to analyze assembled software in various forms. 
• Apply these approaches to discover and understand systemic vulnerabilities in software systems and how threats evolve from these enable attacker’s tradecraft.
• Study and influence the software security ecosystem to address the entire vulnerability lifecycle.
• Evaluate vulnerability analysis reports submitted by world-class researchers to assess and analyze these with a strong grasp of the details. 
• Employ vulnerability analysis to uncover fundamental assumptions and flaws in the current underlying software and system development practices.  
• Conduct vulnerability response and management (CVD) to mitigate discovered or reported software, system, AI, and systemic vulnerabilities.
• Improve the CVD process and supporting tools to scale and address vulnerabilities in a timely fashion.
• Publish reports, technical notes, white papers, Vulnerability Notes, and blog posts to a variety of audience. 
• Conduct outreach and engagement activities across the vulnerability communities (public and private) to influence software security policies and standards. 

Who you are: 

• You are dedicated to protecting our nation’s sovereignty and ensuring the safety of our citizens.
• You have a deep interest in cybersecurity, intellectual curiosity, and a desire to create national-level impacts beyond our organization. 
• You enjoy developing and communicating innovative ideas and thinking creatively to solve tough problems. 
• You relate collaboratively and diplomatically with people inside and outside the organization. 
• You have a strong understanding of research methods in computer science, engineering and security, and related fields as well as of Internet fundamentals including network protocols, provider operations and governance. 
• You enjoy mentoring and training others as well as sharing knowledge.

You have experience: 

• Vulnerability research, discovery, assessment, analysis, disclosure, and mitigation 
• Applying knowledge of technology, systems architecture, and security best practices to practical problems in enterprise security
• Advising on a range of security topics based on research, development, and expert opinion  
• Organizing, planning, and executing complex projects 
• Communicating complex system designs, technical approaches and road maps to sponsors, project managers and technical staff, and the ability to distill the implications of complex research results and apply those results to large-scale operations 
• Applying modern data-driven research methods to cost-effectiveness analysis, risk analysis and information security decision making and collaborating on industry and academic community projects 
• Developing software in a variety of software programming languages both modern and legacy
• Mathematical programming, statistical modeling, or machine learning 
• Recognizing and properly handling confidential and sensitive information

 
You have: 

• BS in Computer Science, Information Science, or Analytical discipline with ten (10) years of experience; OR MS in the same fields with eight (8) years of experience; OR PhD in the same fields with five (5) years of experience. 
• Willingness to travel to various locations to support the SEI’s overall mission. This includes sponsor sites, conferences, and offsite meetings on occasion. Moderate Travel (15%) 
• Are subject to a background check and obtain and maintain an active Department of Defense security clearance.  Applicants for this position must be currently legally authorized to work for CMU in the United States. CMU will not sponsor or take over sponsorship of an employment visa for this opportunity.

Why work here? 

• Join a world-class organization of National Security superheroes that have unrivaled impact on software, system, AI, and systemic vulnerabilities. 
• Work with cutting edge technologies and experts to solve tough problems for the government and the nation. 
• Get 8% monthly contribution for your retirement, without having to contribute yourself. 
• Get tuition benefits to CMU and other institutions for you and your dependent children. 
• Enjoy a healthy work/life balance with flexible work arrangements and paid parental and military leave. 
• Get access to university resources including mindfulness programs, childcare and back-up care benefits, a monthly transit benefit on WMATA, free transportation on the Pittsburgh Regional Transit System. 
• Enjoy annual professional development opportunities; attend conferences and training or obtain a certification and get reimbursed for membership in professional societies. 
• Qualify for relocation assistance and so much more.

Location

Pittsburgh, PA

Job Function

Software/Applications Development/Engineering

Position Type

Staff – Regular

Full time/Part time

Full time

Pay Basis

Salary

More Information: 

• Please visit “Why Carnegie Mellon” to learn more about becoming part of an institution inspiring innovations that change the world. 

• Click here to view a listing of employee benefits

• Carnegie Mellon University is an Equal Opportunity Employer/Disability/Veteran. 

• Statement of Assurance