Apache Security Team

Thursday May 05, 2022

Position available: Security Response Program Manager

About the job

We are looking for a part-time Program Manager to work in the Apache Software Foundation security response team. The main focus will be on the handling and organisation of the incoming security reports across our 300+ open source projects.

This is a remote, part-time position. Working hours are expected to be spread throughout all weekdays, with flexibility depending on issue load or critical issues.

Pay: Up to USD 100,000 per year based on 30 hours/week, depending on experience.


We are looking for someone in either the USA, Canada, or Europe.

What you will do

  • Handle embargoed incoming security reports sent to our security@apache.org address with initial triage and liaison with issue finders.
  • Routing and co-ordination of the incoming reports with the affected ASF project teams.
  • Keeping track of open issues, ensure projects follow our policies and processes, and that projects respond in a timely manner.
  • Provide reviews and advice on all vulnerability texts and metadata. Ensure we provide clear, accurate, timely, and authoritative information.
  • Submit CVE entries, perform updates, as well as other CVE naming authority tasks.
  • Tracking exploits released against ASF vulnerabilities, assessing any additional actions needed.
  • Produce monthly reports and occasional public blogs on metrics, exploits, and trends.
  • Management of critical vulnerabilities including liaison with ASF Press, Legal, other committees, and external entities as required.
  • Use and, where possible help maintain, existing tools used for CVE handling (Node.js), metrics and tracking (Python).
  • Liaise with external parties wanting to perform audits.
  • Help test and assess software security related tooling.
  • Assist our projects and our community on any other aspects of supply chain best practices.
  • Monitor and engage with external organisations such as the OpenSSF to tune and develop our policies and processes.

What you will bring

  • Excellent organisational skills and attention to detail.
  • Solid understanding of security vulnerabilities and their lifecycle.
  • Great documentation skills in order to describe complex security issues in plain language.
  • Able to handle sensitive, private, and embargoed information.
  • Familiarity with open source software development models.
  • Ability to work with a wide range of corporate and open source cultures.
  • Triage and analysis skills and experience.
  • Ability to work on your own in a fast-paced environment with teams and projects distributed across multiple countries and time zones.
  • English as a spoken and written language is required in order to facilitate team collaboration.
  • This is a remote work position, the ASF does not require nor provide office locations. You will have your own network connection and necessary equipment to perform the job.

The following are considered are plus:

  • Knowledge of the ASF and its governance and communities.
  • Intermediate level Node.js and/or Python.
  • Knowledge of the Getting Things Done (GTD) productivity system.

Who you will work with:

  • You will report to the Infrastructure Administrator with work directed by the VP Security.
  • You will work alongside volunteer members of the security team


Please send your cover letter and resume (PDF or plain text only) to sec-hiring@apache.org by June 10th 2022.


Post a Comment:
Comments are closed for this entry.



Hot Blogs (today's hits)

Tag Cloud