Application Security Engineer

About Polymarket Polymarket is the world's largest prediction market platform. We enable individuals to express views on real-world events by trading on outcomes across politics, economics, sports, culture, and current affairs. Built as a peer-to-peer marketplace with no centralized "house," Polymarket aggregates diverse opinions into transparent, market-based probabilities that reflect collective expectations about the future. We're growing fast — both in terms of volume ($21B traded in 2025) and adoption as an alternative news source. Our ambition is to become a ubiquitous beacon of truth in global media and we need your help adding fuel to the fire. About the Role Polymarket is looking for an Application Security Engineer to embed security throughout our software development lifecycle. You'll partner directly with product and engineering teams to identify and fix vulnerabilities before they reach production, own the tooling and processes that make secure development the default, and lead hands-on security assessments of our externally-facing platform. This is a high-ownership role at a company where engineering moves fast — the right candidate knows how to raise the security bar without becoming a bottleneck. What You'll Do Own the application security program across the SDLC — from design review through deployment — ensuring security is addressed early and consistently Conduct threat modeling on new features and architectural changes; perform security design reviews and code reviews on high-risk changes with specific, actionable findings Own the SAST, DAST, and SCA toolchain — selection, deployment, tuning, and CI/CD integration so findings surface at commit time, not post-deployment Triage and prioritize automated scanner output, delivering a risk-ranked backlog rather than raw tool output to engineering teams Conduct manual penetration testing and security assessments of web applications, APIs, and internal services — with particular focus on authentication, authorization, and financial transaction flows Manage the external penetration testing program and own the bug bounty program end-to-end: triage, severity calibration, researcher communication, and payout coordination Track and drive remediation of application-layer vulnerabilities across the product portfolio; monitor CVEs and escalate exploitable issues requiring immediate action Develop and maintain secure coding guidelines and developer-facing security education tailored to the team's stack and threat model What We're Looking For 3+ years of hands-on application security experience — penetration testing, secure code review, or a dedicated AppSec engineering role Strong proficiency identifying and exploiting OWASP Top 10 vulnerabilities; experience assessing modern web applications and API architectures Experience deploying and operating SAST, DAST, and SCA tooling (Semgrep, Snyk, Burp Suite, or equivalent) Ability to read and write code in at least one common backend language (Python, Go, TypeScript, or similar) to conduct meaningful code review Experience conducting or managing penetration tests against web applications and REST/GraphQL APIs Solid understanding of authentication and authorization patterns: OAuth 2.0, JWT, session management, RBAC, and common weaknesses in each Clear written communication — able to write findings that developers actually read and act on (Plus) Experience with a bug bounty platform (HackerOne, Bugcrowd, or equivalent) as an operator (Plus) Familiarity with smart contract security, blockchain transaction flows, or Web3 threat models (Plus) Experience securing financial transaction systems — payment flows, fraud vectors, double-spend risks (Plus) Security certifications: OSCP, GWAPT, GWEB, or equivalent (Plus) Exposure to AWS application-layer security services: WAF, API Gateway, Cognito, Shield (Plus) Prior experience building or scaling a security champions program inside an engineering organization Benefits Competitive salary & equity Unlimited PTO Full Health, Vision, & Dental coverage 401k match Hardware setup: new MacBook Pro, big display, & accessories

{
  "content_hash": "1fa73927f3fe25faaacaa81c08d70aa18b0d7faa35e34eed402d41dd0c033f9f",
  "source_hash": "5acd7fe625f4b7f9851b415d061d962bd5519a79077acfb4dbde0d10d1c734f5",
  "last_changed_at": "2026-05-29T06:20:07.827Z",
  "active_status": "active"
}

{
  "language": "en",
  "location": {
    "raw": "New York",
    "city": "New York",
    "region": "NY",
    "country": "United States",
    "is_remote": false,
    "confidence": 0.75
  },
  "salary_max": null,
  "salary_min": null,
  "inferred_at": "2026-06-06T09:18:17.630Z",
  "launch_scope": {
    "reason": "english_us_canada",
    "included": true,
    "language": "en",
    "location": {
      "raw": "New York",
      "city": "New York",
      "region": "NY",
      "country": "United States",
      "is_remote": false,
      "confidence": 0.75
    },
    "countries": [
      "United States"
    ]
  },
  "remote_policy": null,
  "salary_period": null,
  "workplace_type": "on_site",
  "salary_currency": null
}

{}

{
  "id": "37b70253-b155-46b7-9349-b459e759c19f",
  "team": "IT ",
  "title": "Application Security Engineer",
  "jobUrl": "https://jobs.ashbyhq.com/polymarket/37b70253-b155-46b7-9349-b459e759c19f",
  "address": null,
  "applyUrl": "https://jobs.ashbyhq.com/polymarket/37b70253-b155-46b7-9349-b459e759c19f/application",
  "isListed": true,
  "isRemote": false,
  "location": "New York",
  "updatedAt": null,
  "apiVersion": "ashby-non-user-graphql-v1",
  "department": "IT ",
  "publishedAt": null,
  "workplaceType": "OnSite",
  "employmentType": "FullTime",
  "secondaryLocations": []
}