Defiant, Inc.: Web Application Vulnerability Analyst Contractor

Headquarters: Seattle, WA

Wordfence is owned and operated by Defiant Inc. We are a small, dynamic, fast-growing, profitable and 100% founder owned company with loyal customers who love our products and services. We are the global leader in WordPress security, protecting over 4 million websites. We regularly release high-quality software, firewall rules, and threat intelligence to millions of customers around the world. We also publish ground-breaking security research weekly that is covered by journalists and information security professionals and publications around the world.

If you are excited about working for a technology company that is securing a huge part of the Web and are looking for a full-time contractor job with flexible hours working remotely, this may be your dream job! Our core hours are 10 am to 1 pm Pacific time and our team has flexibility outside those hours.

Compensation is an hourly rate of $30 USD.

Job Description
We are looking for a Web Application Vulnerability Analyst Contractor with a focus on WordPress to join our Threat Intelligence team. In this role, you will be expected to analyze newly reported WordPress Plugin, Theme, and Core vulnerabilities to determine their exploitability, severity, impact and more along with determining existing coverage of the Wordfence firewall’s rules. You will also be expected to triage incoming Bug Bounty report submissions which involves validating reports and proposing bounties based on company assessed impact.

Key Responsibilities
  • Triaging and validating vulnerability reports submitted to our Bug Bounty Program. This includes:
    • Quickly assessing impact to determine the order in processing incoming submissions.
    • Setting up a test environment to replicate any reported vulnerabilities
    • Finding the source of the vulnerability in the source code, when not provided by the researcher 
    • Populating a vulnerability record based on the provided data 
    • Determining if a custom firewall rule needs to be developed for the vulnerability. 
    • Providing a recommended solution to the developer for common vulnerabilities 
    • Proposing a bounty amount based on our internal calculator to reflect the severity and impact of the vulnerability. 
    • Working with the customer service team that handles the responsible disclosure. 
    • Validating a patch is sufficient when released. 

  • Adding newly disclosed vulnerabilities from public data sources to our Vulnerability Database. This includes: 
    • Fully analyzing the vulnerability to determine impact 
    • Identifying where in the code the vulnerability occurs 
    • Verifying that the issue is fully patched. 
    • Formulating a CVSS score and choosing a CWE.  
    • Populating a vulnerability record based on disclosed and newly discovered data. 
    • Determining if a custom firewall rule needs to be developed for the vulnerability. 

Our ideal candidate has:
  • Certifications, or desire to get certified (OSWE, eWPTx, PenTest+, Security+, eWPT, GWAPT, etc..) 
  • Experience formulating CVSS scores and identifying CWEs for vulnerability types.
  • Ability to process large amounts of technical data consistently and accurately with minimal mistakes. 
  • Experience performing data entry related tasks where some technical proficiency and additional analysis is required prior to data entry.
  • Familiarity with the CVE Program and CVE IDs.
  • An understanding of the WordPress threat model 
  • Experience with writing and/or testing Web Application Firewall rules, or familiarity with functionality of access control lists. 
  • Experience working with REGEX.
  • Experience writing simple scripts to improve workflows and efficiency. 
  • Excellent communication skills

Desired Qualifications
  • Technical experience with common web application based vulnerabilities in WordPress plugins and themes.  
  • Ability to develop proof of concepts programmatically or conceptually to test the exploitability of vulnerabilities, and the general ability to read/understand programmatic and conceptual proof of concepts. 
  • Ability to replicate the exploitability of vulnerabilities in a test environment  
  • Ability to review source code changes to determine if a vulnerability was patched, and what the patch was for. 
  • Experience generating/modifying HTTP requests.
  • Experience working with BURP suite, or similar proxy software, and a PHP debugger.
  • Experience programmatically interacting with REST APIs
  • Comfort with diff'ing and searching files using command line tools.
  • A solid understanding of WordPress hooks, how they are used, and how they can lead to vulnerabilities.
  • A solid understanding of the responsible disclosure process. 
  • Excellent analytical ability, ability to think outside of the box, and an eagerness to learn.  

Hiring Process
  1. Please fill in the form provided in this application. The hiring team will look at this first. The way you answer our form will determine if your application moves to the next step. Please note that we read every answer and this form is a critical part of our hiring process.
  2. Participate in a series of phone interviews. We are respectful of your time and keep the number of interviews you will need to attend to a minimum. This is usually two or three interviews.
  3. All contracts and offers of employment are contingent on the successful completion of a background check. The results of the background check are considered as they relate to the position and do not automatically disqualify someone from a contract or employment with the company.
  4. Join our fast-paced team and start testing our products and and helping release software to over 4 million customers! All positions require a trial period of approximately 2-3 weeks with a minimum commitment of 10 hours per week. You will be paid for this short-term contract, and it will be used to evaluate whether both parties want to pursue an ongoing, regular employment relationship.

Diversity at Defiant
We value diversity and do not discriminate based on race, color, religion or creed, national origin or ancestry, sex, age, physical or mental disability, military or veteran status, gender identity or expression, marital status, sexual orientation, political ideology, economic status, parental status, or any other non-performance-related status.

To apply: