Security Engineer

We are SatoshiLabs, world-renowned pioneers in digital security and a bitcoin-first tech holding. We defined a whole new industry and proudly stand behind extraordinary projects, such as Trezor, Invity, Tropic Square and Vexl.

As a Security Engineer for Product at SatoshiLabs, you will ensure that Trezor’s software products are developed, maintained, and operated in accordance with rigorous security best practices.

You will focus on enhancing the entire development lifecycle, primarily in areas such as dependency management, secure coding, and threat modeling. You will collaborate with the firmware and R&D teams to strengthen our firmware security while driving effective automation and providing actionable insights to development teams.

You will also write post-mortems for technical security incidents and be responsible for addressing penetration testing findings in a timely manner.

You will collaborate daily with product teams—including those working on desktop and mobile applications as well as firmware—while maintaining select internal security responsibilities. Your top priority will be fortifying Trezor’s product ecosystem.

We have ambitious growth plans and we need you to make that happen!

👉 What will your duties be?

Threat modeling for Trezor Suite, Firmware, and Trezor.io

• Research and document project dependencies, including where and how they are integrated into the build process. Provide insights into specific dependencies and assess their associated risks

• Develop comprehensive threat models that consider both software and hardware components (e.g., code signing, supply chain security)

Vulnerability management & incident response

• Triage and analyze reported vulnerabilities from internal teams, third-party researchers, and penetration tests

• Drive remediation efforts by coordinating with engineering, QA, and product owners to ensure timely and effective fixes

• Lead or participate in technical root cause analyses for security incidents (beyond just dependency-related issues), documenting thorough post-mortems and recommending long-term improvements

• Contribute to ongoing improvements for SatoshiLabs’ Bug Bounty Program, ensuring a smooth reporting and remediation workflow

• Integrate findings into a continuous improvement process, including retesting and feedback loops to strengthen the security posture

Investigate projects’ dependency management

• Study recent incidents (such as GitHub issue #18022, Ultralytics PyPI Package Compromised Through Github Actions, Supply Chain Attack Detected in Solana's web3.js Library) and derive actionable insights to strengthen the supply chain for all our products

• Conduct comprehensive assessments on the impact of a critical library compromise. Recommend remediation steps, including fallback strategies and vendor risk.

• Collaborate with relevant stakeholders (e.g., Security Engineer, Head of R&D, etc.) on creating alerts and policies for dependency management

• Maintain and extend automated dependency scanning (e.g., SAST, DAST, dependency checks)

Cross-Functional collaboration

• Collaborate with product leads and engineering managers to prioritize security tasks within the product development lifecycle, ensuring alignment with the Secure Software Development Lifecycle (SSDLC).

• Develop and maintain risk assessments for technologies and libraries in use

💪 What makes you a perfect candidate?

• 3+ years in a security-focused engineering role (for example, application security, secure software development, penetration testing)

• Solid understanding of secure software development in frontend and backend environments (experience with JavaScript or TypeScript is a big plus)

• Experience with desktop application (Electron) security (Windows, macOS, Linux) is highly valued

• Possess a basic understanding of recognized frameworks (e.g., ISO 27001, OWASP ASVS, NIST CSF) to ensure consistency, compliance, and alignment with industry best practices

• Basic knowledge of cryptographic principles and CEH certification is an advantage

• Strong collaboration and communication abilities, comfortable coordinating with both technical and non-technical stakeholders

• Demonstrated leadership in guiding teams to adopt security best practices without sacrificing delivery timelines

• Experience with cryptocurrency-related products or projects is a big plus

• Proficiency in English, Czech is advantageous but not required

🤝 What will you get in return?

• Unique opportunity to be a part of a brand that has revolutionized the crypto industry more than once

• Possibility to receive part of your compensation in bitcoin

• Flexible working hours as well as the possibility of working from home

• Budget for professional development (training programs, courses, and workshops of your choice)

• Renovated offices (including gym, football table, billiards, PlayStation and 3D printer)

• Other benefits such as a MultiSport card, company mobile phone tariff, etc.

• Free on-site parking

👋 Sounds good? Please don't hesitate to submit your CV, together with a cover letter. We’ll definitely get in touch with you as soon as we review your application, most likely within a week.