Application Security Engineer

Polymarket is the world's largest prediction market platform. We enable individuals to express views on real-world events by trading on outcomes across politics, economics, sports, culture, and current affairs. Built as a peer-to-peer marketplace with no centralized "house," Polymarket aggregates diverse opinions into transparent, market-based probabilities that reflect collective expectations about the future. We're growing fast — both in terms of volume ($21B traded in 2025) and adoption as an alternative news source. Our ambition is to become a ubiquitous beacon of truth in global media and we need your help adding fuel to the fire.

• •Own the application security program across the SDLC — from design review through deployment — ensuring security is addressed early and consistently
• •Conduct threat modeling on new features and architectural changes; perform security design reviews and code reviews on high-risk changes with specific, actionable findings
• •Own the SAST, DAST, and SCA toolchain — selection, deployment, tuning, and CI/CD integration so findings surface at commit time, not post-deployment
• •Triage and prioritize automated scanner output, delivering a risk-ranked backlog rather than raw tool output to engineering teams
• •Conduct manual penetration testing and security assessments of web applications, APIs, and internal services — with particular focus on authentication, authorization, and financial transaction flows
• •Manage the external penetration testing program and own the bug bounty program end-to-end: triage, severity calibration, researcher communication, and payout coordination
• •Track and drive remediation of application-layer vulnerabilities across the product portfolio; monitor CVEs and escalate exploitable issues requiring immediate action
• •Develop and maintain secure coding guidelines and developer-facing security education tailored to the team's stack and threat model

• •Competitive salary & equity
• •Unlimited PTO
• •Full Health, Vision, & Dental coverage
• •401k match
• •Hardware setup: new MacBook Pro, big display, & accessories

• •3+ years of hands-on application security experience — penetration testing, secure code review, or a dedicated AppSec engineering role
• •Strong proficiency identifying and exploiting OWASP Top 10 vulnerabilities; experience assessing modern web applications and API architectures
• •Experience deploying and operating SAST, DAST, and SCA tooling (Semgrep, Snyk, Burp Suite, or equivalent)
• •Ability to read and write code in at least one common backend language (Python, Go, TypeScript, or similar) to conduct meaningful code review
• •Experience conducting or managing penetration tests against web applications and REST/GraphQL APIs
• •Solid understanding of authentication and authorization patterns: OAuth 2.0, JWT, session management, RBAC, and common weaknesses in each
• •Clear written communication — able to write findings that developers actually read and act on
• •(Plus) Experience with a bug bounty platform (HackerOne, Bugcrowd, or equivalent) as an operator
• •(Plus) Familiarity with smart contract security, blockchain transaction flows, or Web3 threat models
• •(Plus) Experience securing financial transaction systems — payment flows, fraud vectors, double-spend risks
• •(Plus) Security certifications: OSCP, GWAPT, GWEB, or equivalent
• •(Plus) Exposure to AWS application-layer security services: WAF, API Gateway, Cognito, Shield
• •(Plus) Prior experience building or scaling a security champions program inside an engineering organization