Senior Full-Stack Engineer - Security

There's a guideline in medicine called "Sutton's Law": first consider the obvious. The law gets its name from an apocryphal interview with Willie Sutton, an infamous bank robber, who was asked "Why do you rob banks?" and replied simply "Because that's where the money is."

Mercury is building the banking* stack for startups, and it's obvious security is critical to our product. That's where the money is.

At Mercury, there are two dedicated security teams. The first is a comprehensive Information Security (InfoSec) team with extensive backgrounds in security. They focus on areas such as PCI/SOC2 compliance, endpoint management, detection and response, as well as network and corporate security. This team has a wide mandate and frequently work in our product and infrastructure as well.

The team you would be joining is primarily focused on engineering, with a primary goal of addressing security challenges through code. Our work involves tackling a variety of security issues, ranging from developing security features to creating infrastructure that assists other teams in building their features securely. Currently, our main projects include enhancing our admins' permissions system, devising a streamlined method for users to verify their identity during phone calls, and a few smaller initiatives. In addition to coding, we actively engage with other teams. This involves explaining vulnerabilities identified through our bug bounty programs, addressing security concerns related to ongoing projects, and responding to queries from other teams. Exceptional security judgment, a grasp of product concepts, and effective communication skills are highly valuable in these collaborative scenarios.

As a Security Engineer at Mercury, you will:

• Address key security features within the product, such as developing passkey support, enhancing the security dashboard, refining user-facing audit logs, and implementing SAML.
• Upgrade our pentest environment to ensure it aligns with our security researchers' needs, addressing challenges like data sufficiency and effective stubbing of third-party interactions.
• Contribute to bug bounty program triage by validating reports, coordinating responses, and managing researcher payments, while collaborating with teams to resolve identified issues.
• Analyze vulnerabilities and proactively target root causes by creating tools for codebase scanning, establishing effective patterns and systems, and enhancing security training for engineers.
• Assist teams in threat modeling and cultivating a security mindset for their features, leveraging dedicated security expertise to complement the existing skills of our engineers.
• Investigate user security issues, utilizing product knowledge and logs to understand incidents and proposing improvements to monitoring for quicker detection of similar issues.

The ideal candidate possesses:

• Excellent empathy for customers.
• An ability to carefully consider tradeoffs between security and user experience.
• Proficiency in standard software engineering, including discussions on schema and app design.

Requirements:

• Three or more years of experience in software security roles or equivalent.
• Full-stack development experience, with excitement to learn and work with Haskell, React, and TypeScript.

Nice to Haves:

• Familiarity with our tech stack.
• Experience in fraud or finance-related domains.

The total rewards package at Mercury includes base salary, equity (stock options), and benefits.

Our salary and equity ranges are highly competitive within the SaaS and fintech industry and are updated regularly using the most reliable compensation survey data for our industry. New hire offers are made based on a candidate’s experience, expertise, geographic location, and internal pay equity relative to peers.

Our target new hire base salary ranges for this role are the following:

• US employees (any location): $203,100–$238,900.

• Canadian employees (any location): CAD 184,800–217,400.

*Mercury is a financial technology company, not a bank. Banking services provided by Choice Financial Group and Evolve Bank & Trust®; Members FDIC.

We use Covey as part of our hiring and / or promotional process for jobs in NYC and certain features may qualify it as an AEDT. As part of the evaluation process we provide Covey with job requirements and candidate submitted applications. We began using Covey Scout for Inbound on January 22, 2024.

Please see the independent bias audit report covering our use of Covey here.