Senior Systems Security Engineer and Vulnerability Researcher

We are seeking an experienced Senior Systems Security Engineer & Vulnerability Researcher with deep expertise in OS security, container security, hypervisor security, and process sandboxing. The role requires robust offensive security skills in identifying and exploiting vulnerabilities, particularly within the Internet Computer (IC) platform and its execution environments.

The ideal candidate will conduct thorough security research, perform vulnerability assessments, develop exploits, and continuously monitor/improve security posture of the IC platform.

This is a hybrid-onsite position (onsite 3x per week), based out of our new office in the heart of San Francisco.

Key Responsibilities:

Hypervisor & Virtualization Security

• Research and mitigate security risks in QEMU-based virtualization, VM isolation, and guest-to-host escape vulnerabilities.
• Analyze attack surfaces within virtual machines, hypervisors, and inter-VM communication mechanisms.
• Develop and test exploit techniques targeting hypervisor weaknesses, side-channel leaks, and container escapes.
• Design and enhance secure VM execution models and Trusted Execution Environments (TEE) using AMD SEV-SNP to enforce strong VM isolation, protect workloads from compromised hypervisors, and ensure memory confidentiality and integrity.

Operating System & Process Isolation Security

• Strengthen Linux OS security, including process isolation, sandboxing, and syscall filtering.
• Improve Mandatory Access Control (MAC) policies (SELinux) to enforce stricter access controls.
• Research and refine sandboxing strategies to contain untrusted processes. Assess process sandboxing techniques to contain untrusted execution
• Identify and mitigate kernel privilege escalation vectors, particularly in containerized and virtualized environments.

Vulnerability Research & Exploit Development

• Perform reverse engineering, binary analysis, and fuzzing to uncover vulnerabilities across OS, hypervisor, and VM execution layers.
• Develop proof-of-concept (PoC) exploits to validate security threats and recommend mitigation strategies
• Analyze and improve secure boot mechanisms, firmware security, and disk encryption strategies for virtualized environments.

Security Hardening & Mitigations

• Work closely with engineers to design and implement hypervisor and VM security mitigations.
• Research and propose hardened runtime environments that defend against modern attack techniques.
• Track emerging threats in virtualization security, container security, and OS sandboxing.

Red Team Strategy & Execution

• Lead and design sophisticated Red Team operations targeting Internet Computer Protocol, governance, subnets, nodes, and system dApps.
• Develop adversary emulation plans to test both platform and infrastructure defenses, identifying weaknesses before they can be exploited.

Requirements:

• Deep understanding of Linux security internals, including kernel attack surfaces, syscall security, privilege separation and process isolation
• Expertise in QEMU/KVM security, including guest-to-host escapes, hypervisor hardening, and VM isolation techniques.
• Hands-on experience analyzing hypervisor-level attacks, VM escape techniques, and virtualization security mitigations.
• Understanding of side-channel vulnerabilities (e.g., Spectre, Meltdown, L1TF, MDS) affecting virtualization environments.
• Proficiency in Trusted Execution Environments (TEE) and secure virtualization, with a focus on QEMU and AMD SEV-SNP for workload confidentiality and integrity.
• Experience with reverse engineering tools (Ghidra, IDA Pro, Binary Ninja, binwalk) and fuzzing frameworks.
• Skilled in adversary emulation, lateral movement techniques, privilege escalation, and exfiltration tactics.
• Expertise in securing containerized environments, including Kubernetes security, container hardening, and runtime protection.

Base Salary Range:  $175,000 - $240,000/yr

This position can be considered across multiple levels. Total compensation at DFINITY consists of base salary + generous bonus and is determined based on multiple factors including job leveling, areas of expertise, educational background, geographic location and overall experience.  

In addition to the cash components of our offers, we have generous benefits including top tier medical, dental, and vision insurance; disability insurance; life insurance; 401(k); flexible PTO policy in addition to paid holidays.

About DFINITY and the Internet Computer:

DFINITY is a leading contributor to the Internet Computer Protocol (ICP), with a mission to bring the world's compute onto the secure ICP network. Built on its unique third-generation blockchain technology, ICP enables the development and operation of a new generation of unstoppable, tamper-proof, fully decentralized web applications. Its powerful technology can run entire AI models within smart contracts, representing a major advancement for secure AI. Through seamless integration with Bitcoin, Ethereum, and other networks, ICP facilitates multi-chain operations for digital assets and web3.
Join our team of over 250 talented individuals, including world-renowned cryptographers, distributed systems engineers, programming language experts, and industry leaders, who are shaping the future of the internet and web3.   DFINITY was founded in 2016 by entrepreneur and crypto theoretician, Dominic Williams.

All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status.