Security Engineer – Bug Bounty at Interactive Brokers
IndiaFull-timeTechnologyPosted 8 days ago
Apply with PipelineAbout the Role
<div class="content-intro"><p></p>
<h3>Company Overview</h3>
<p>Interactive Brokers Group, Inc. (Nasdaq: IBKR) is a global financial services company headquartered in Greenwich, CT, USA, with offices in over 15 countries. We have been at the forefront of financial innovation for over four decades, known for our cutting-edge technology and client commitment.</p>
<p>IBKR affiliates provide global electronic brokerage services around the clock on stocks, options, futures, currencies, bonds, and funds to clients in over 200 countries and territories. We serve individual investors and institutions, including financial advisors, hedge funds and introducing brokers. Our advanced technology, competitive pricing, and global market help our clients to make the most of their investments.</p>
<p>Barron's has recognized Interactive Brokers as the #1 online broker for six consecutive years. Join our dynamic, multi-national team and be a part of a company that simplifies and enhances financial opportunities using state-of-the-art technology.</p>
<p></p></div><p><strong><span data-contrast="none"><span data-ccp-parastyle="heading 1">Security </span><span data-ccp-parastyle="heading 1">Engineer -</span><span data-ccp-parastyle="heading 1"> </span><span data-ccp-parastyle="heading 1">Bug Bounty</span></span></strong><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335559738":322,"335559739":322}"> </span></p>
<p><strong><span data-contrast="none"><span data-ccp-parastyle="heading 2">About the Role</span></span></strong><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335559738":299,"335559739":299}"> </span></p>
<p><span data-contrast="auto">We are looking for a Security Engineer focused on Bug Bounty who treats researcher reports as security data, not support tickets. This is not a coordination role — you will be hands-on validating vulnerabilities, reproducing exploits, and working directly with engineering teams to drive fixes. You will own the full lifecycle of the program: scope design, triage, researcher relations, remediation tracking, and the upstream feedback that turns external findings into internal controls.</span><span data-ccp-props="{}"> </span></p>
<p><span data-contrast="auto">The other half of this role is developer partnership. Findings that sit in a backlog do not improve security. You will reduce the friction that keeps confirmed vulnerabilities from being fixed — translating researcher reports into clear remediation guidance, removing ambiguity that slows engineers down, and identifying the process or tooling gaps that let the same vulnerability class appear repeatedly.</span><span data-ccp-props="{}"> </span></p>
<p><span data-contrast="auto">A deep understanding of how vulnerabilities actually work — not just how to classify them — is fundamental to success here.</span><span data-ccp-props="{}"> </span></p>
<p><strong><span data-contrast="none"><span data-ccp-parastyle="heading 2">What You'll Do</span></span></strong><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335559738":299,"335559739":299}"> </span></p>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="1" data-aria-level="1"><strong><span data-contrast="auto">Own day-to-day operations</span></strong><span data-contrast="auto"> of the bug bounty program on the managed platform, including report triage, severity assessment, researcher communication, and payout decisions — maintaining SLA compliance across all inbound volume</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="2" data-aria-level="1"><strong><span data-contrast="auto">Reproduce and technically validate</span></strong><span data-contrast="auto"> submitted vulnerabilities across web, API, mobile, and trading infrastructure attack surfaces — reason independently about exploitability in context, not just what the report claims</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="3" data-aria-level="1"><strong><span data-contrast="auto">Classify findings</span></strong><span data-contrast="auto"> using CVSS, OWASP, and business impact criteria; distinguish genuine risk from theoretical severity; escalate critical issues into incident response workflows with enough context for engineering leadership to act immediately</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="4" data-aria-level="1"><strong><span data-contrast="auto">Act as a remediation partner</span></strong><span data-contrast="auto">, not just a reporter — work directly with developers to clarify findings, provide exploit context, reproduce issues where needed, and give fix guidance grounded in how the vulnerability actually works; track what slows remediation and fix it</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="5" data-aria-level="1"><strong><span data-contrast="auto">Identify recurring vulnerability classes</span></strong><span data-contrast="auto"> across inbound reports and feed patterns back into AppSec initiatives — SAST rule tuning, developer training, design review checklists — closing the loop from external discovery to internal prevention</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="6" data-aria-level="1"><strong><span data-contrast="auto">Maintain program scope</span></strong><span data-contrast="auto">, out-of-scope guidance, and rules of engagement; adjust based on surface area changes, new products, and program maturity signals</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="7" data-aria-level="1"><strong><span data-contrast="auto">Coordinate with legal, compliance, and communications</span></strong><span data-contrast="auto"> on responsible disclosure edge cases, researcher disputes, and public disclosure timelines</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="8" data-aria-level="1"><strong><span data-contrast="auto">Produce monthly and quarterly program metrics</span></strong><span data-contrast="auto"> for security leadership — coverage, triage velocity, remediation cycle times, finding trends — with enough analytical depth to drive program decisions</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="9" data-aria-level="1"><strong><span data-contrast="auto">Evaluate attack surface expansions</span></strong><span data-contrast="auto"> — new APIs, products, acquisitions — for readiness to enter program scope</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<p><strong><span data-contrast="none"><span data-ccp-parastyle="heading 2">What We're Looking For</span></span></strong><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335559738":0,"335559739":0}"> </span></p>
<p><em><span data-contrast="auto">These are the capabilities that matter for this role. Strong candidates will not check every box. Depth in vulnerability validation and developer partnership matters more than broad platform familiarity. If you have operated on both sides of the researcher-developer relationship, we want to hear from you.</span></em><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></p>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="1" data-aria-level="1"><strong><span data-contrast="auto">2–5 years</span></strong><span data-contrast="auto"> in application security, penetration testing, bug bounty operations, or a security engineering role with hands-on validation focus</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="2" data-aria-level="1"><strong><span data-contrast="auto">Strong foundational knowledge</span></strong><span data-contrast="auto"> of how web application vulnerabilities work at a technical level — SSRF, IDOR, auth bypass, injection classes, business logic flaws, API authorization failures, OAuth misconfigurations — not just awareness of their names</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="3" data-aria-level="1"><strong><span data-contrast="auto">Ability to read a researcher report</span></strong><span data-contrast="auto"> and independently reason about exploitability in the specific context of the application — understand trust boundaries, data flow, and what an attacker would actually need to trigger the finding</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="4" data-aria-level="1"><strong><span data-contrast="auto">Experience operating a bug bounty or vulnerability disclosure program</span></strong><span data-contrast="auto"> on a managed platform — Bugcrowd, HackerOne, or equivalent — with ownership of triage decisions and researcher communication</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="5" data-aria-level="1"><strong><span data-contrast="auto">Strong written communication under pressure</span></strong><span data-contrast="auto"> — you will be writing triage decisions to elite researchers and remediation guidance to developers simultaneously; both audiences require clarity and credibility</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="6" data-aria-level="1"><strong><span data-contrast="auto">Familiarity with REST and GraphQL API security</span></strong><span data-contrast="auto">, OAuth 2.0 flows, session management, and web application architecture at the level needed to validate findings without relying on the researcher's reproduction steps alone</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="7" data-aria-level="1"><strong><span data-contrast="auto">Ability to work cross-functionally with engineering teams</span></strong><span data-contrast="auto"> — translate security findings into actionable, developer-friendly guidance that engineers will actually implement rather than defer</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<p><strong><span data-contrast="none"><span data-ccp-parastyle="heading 2">Nice to Have</span></span></strong><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335559738":0,"335559739":0}"> </span></p>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="1" data-aria-level="1"><strong><span data-contrast="auto">Active bug bounty participation as a researcher</span></strong><span data-contrast="auto"> — candidates who have filed reports themselves understand what makes a finding credible, what frustrates researchers about triage decisions, and how to run a program that retains high-signal contributors</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="2" data-aria-level="1"><strong><span data-contrast="auto">Development background</span></strong><span data-contrast="auto"> — candidates who have written production code and personally addressed security vulnerabilities bring a fundamentally different perspective to remediation partnership; they understand why developers make the choices they do, where fixes break things, and how to give guidance that engineers will actually act on</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="3" data-aria-level="1"><strong><span data-contrast="auto">Experience in financial services or a similarly regulated environment</span></strong><span data-contrast="auto"> — understanding the compliance overlay on remediation timelines and disclosure decisions changes how you prioritize and escalate</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="4" data-aria-level="1"><strong><span data-contrast="auto">Scripting ability in Python or Bash</span></strong><span data-contrast="auto"> — for triage automation, scope monitoring, duplicate detection, or metrics extraction from platform APIs</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<ul>
<li data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" data-aria-posinset="5" data-aria-level="1"><strong><span data-contrast="auto">Familiarity with DAST tooling</span></strong><span data-contrast="auto"> (Burp Suite Pro, Nuclei, ZAP) — candidates who can independently reproduce and extend researcher findings without relying solely on the submitted reproduction steps are significantly more effective in this role</span><span data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span></li>
</ul>
<h4>Company Benefits & Perks: </h4>
<ul>
<li>Competitive salary package.</li>
<li>Performance based annual bonus (<em>cash and stocks</em>).</li>
<li>Hybrid working model (3 <em>days office/week</em>).</li>
<li>Group Medical & Life Insurance.</li>
<li>Modern offices with free amenities & fully stocked cafeterias.</li>
<li>Monthly food card & company paid snacks.</li>
<li>Hardship/shift allowance with company provided pickup & drop facility*</li>
<li>Attractive employee referral bonus.</li>
<li>Frequent company sponsored team building events and outings.</li>
</ul>
<p>* <em>Depending upon the shifts.</em></p>
<p>**<em>The benefits package is subject to change at the management's discretion.</em></p>
<p> </p>
<p> </p>
Related Roles
Security Engineer II - Red Team (BAS)
Interactive Brokers
Mumbai, IndiaSecurity Operator I
Interactive Brokers
Hyderabad, IndiaApplication Security Engineer
Interactive Brokers
IndiaNetwork Security Specialist
Interactive Brokers
Mumbai, IndiaTrade Support Engineer
Interactive Brokers
Hong KongApplication Support Engineer
Interactive Brokers
Hong Kong