Principal Security Engineer, Privy

Who we are

About Privy

Our mission is to make privacy and user ownership the default online. We build simple, flexible developer tooling that make it easy to build products that put users first. By leveraging modern cryptography, we shift the status quo around digital ownership and protect the accounts and assets of millions of users.

Learn more about Privy: Privy and Stripe: Bringing crypto to everyone

What you’ll do

The Principal Security Engineer is a senior individual contributor responsible for defining, building, and operating security programs for high-risk financial technology and crypto infrastructure products, including embedded wallets, authentication systems, transaction flows, key management systems, developer platforms, and production cloud services.

This role leads security architecture and hands-on technical security work across application security, product security, infrastructure security, incident response, vulnerability management, threat modeling, secure software development, and security automation. The Principal Security Engineer partners directly with engineering, product, infrastructure, compliance, legal, and executive stakeholders to identify and reduce systemic security risk across the company’s most sensitive products and services.

The role requires deep expertise in modern software security, cloud-native systems, cryptographic protocols, wallet and blockchain threat models, secure authentication, web application security, vulnerability research, secure SDLC design, and practical incident response. The Principal Security Engineer is expected to operate independently on ambiguous, high-impact security problems; design scalable security controls; review complex architectures; identify exploitable vulnerabilities; build security tooling; guide engineering teams; and represent security judgment in critical product and platform decisions.

Responsibilities

Lead security architecture reviews for embedded wallet systems, authentication flows, key management infrastructure, transaction signing systems, crypto custody-adjacent services, and developer-facing APIs.
Conduct advanced threat modeling for web, mobile, cloud, wallet, blockchain, and cryptographic systems.
Identify, validate, prioritize, and drive remediation of vulnerabilities across applications, infrastructure, APIs, CI/CD pipelines, third-party integrations, and production services.
Design and implement scalable security controls, automation, detection, alerting, and monitoring to reduce risk across engineering teams.
Lead or support incident response, security investigations, root-cause analysis, containment, remediation, and post-incident hardening.
Evaluate security implications of new product launches, infrastructure changes, vendor integrations, cryptographic designs, and authentication mechanisms.
Develop security standards, secure engineering guidance, review processes, and technical documentation for engineering teams.
Partner with engineering leadership to embed security into design, development, deployment, and operational workflows.
Manage and triage external vulnerability reports, responsible disclosure submissions, penetration test findings, bug bounty reports, and third-party security assessments.
Perform hands-on vulnerability research and proof-of-concept validation for complex application, protocol, authentication, authorization, cloud, and blockchain-related security issues.
Mentor engineers and security team members on secure design, exploitability analysis, vulnerability remediation, and risk-based prioritization.
Stay current on emerging threats affecting crypto infrastructure, fintech, cloud platforms, web application frameworks, supply-

Who you are

We're looking for someone who meets the minimum requirements to be considered for the role. If you meet these requirements, you are encouraged to apply. The preferred qualifications are a bonus, not a requirement.

Minimum requirements

10 years of professional experience in software security, application security, product security, infrastructure security, security engineering, vulnerability research, incident response, or closely related technical security roles.
Experience must include substantial hands-on work securing production software systems, cloud infrastructure, web applications, APIs, authentication systems, or financial technology platforms.
Bachelor’s degree in Computer Science, Computer Engineering, Information Systems, Information Security, Cybersecurity, Software Engineering, Electrical Engineering, Mathematics, or a closely related technical field. Foreign equivalent degrees are acceptable.
Security architecture and threat modeling for complex software systems.
Application security, including web application vulnerabilities, API security, authentication, authorization, session management, input validation, injection flaws, insecure deserialization, SSRF, XSS, CSRF, access control failures, and business logic vulnerabilities.
Cloud and infrastructure security, including AWS or comparable cloud platforms, IAM, network security, secrets management, containerized workloads, CI/CD security, logging, monitoring, and production hardening.
Secure software development practices and the ability to read, review, and reason about production code in modern programming languages such as JavaScript, TypeScript, Python, Go, Java, Ruby, Rust, or similar.
Incident response, security investigations, vulnerability triage, exploitability assessment, remediation planning, and post-incident review.
Cryptographic and authentication concepts, including public-key cryptography, digital signatures, key management, secure enclave or hardware-backed security models, OAuth/OIDC, passkeys/WebAuthn, wallet signing flows, and secure transaction approval patterns.
Security tooling and automation, including SAST, DAST, dependency analysis, vulnerability scanners, custom detection tooling, logging pipelines, or security workflow automation.
Risk-based prioritization of vulnerabilities and security findings in a production engineering environment.
Communication with engineering, product, infrastructure, legal, compliance, and executive stakeholders on security risks and remediation tradeoffs.
Ability to independently lead ambiguous, high-impact security initiatives across multiple teams.
Ability to mentor engineers and influence secure design decisions without direct management authority.

Preferred qualifications

Experience securing cryptocurrency, blockchain, wallet, custody, payment, financial technology, or high-value transaction systems.
Experience with bug bounty programs, responsible disclosure, penetration testing, red-team findings, or vulnerability research.
Experience reviewing cryptographic protocols, transaction signing systems, embedded wallets, smart-contract-adjacent systems, or developer SDKs.
Experience building internal security platforms, security automation, detection systems, or developer-facing security tools.
Public contributions to the security community, such as conference presentations, publications, open-source tools, vulnerability disclosures, CVEs, security research, or peer review of security work.

Office-assigned Stripes in most of our locations are currently expected to spend at least 50% of the time in a given month in their local office or with users. This expectation may vary depending on role, team and location. For example, Stripes in Stripe Delivery Center roles in Mexico City, Mexico, Bengaluru, India, and Dublin, Ireland work 100% from the office. Also, some teams have greater in-office attendance requirements, to appropriately support our users and workflows, which the hiring manager will discuss. This approach helps strike a balance between bringing people together for in-person collaboration and learning from each other, while supporting flexibility when possible.

The annual US base salary range for this role is $273,800 - $410,800. For sales roles, the range provided is the role’s On Target Earnings ("OTE") range, meaning that the range includes both the sales commissions/sales bonuses target and annual base salary for the role. This salary range may be inclusive of several career levels at Stripe and will be narrowed during the interview process based on a number of factors, including the candidate’s experience, qualifications, and location. Applicants interested in this role and who are not located in the US may request the annual salary range for their location during the interview process.

Additional benefits for this role may include: equity, company bonus or sales commissions/bonuses; 401(k) plan; medical, dental, and vision benefits; and wellness stipends.

Office locations

New York

Team

Privy

Job type

Full time

Apply for this role

At Stripe, we're looking for people with passion, grit, and integrity. You're encouraged to apply even if your experience doesn't precisely match the job description. Your skills and passion will stand out—and set you apart—especially if your career has taken some extraordinary twists and turns. At Stripe, we welcome diverse perspectives and people who think rigorously and aren't afraid to challenge assumptions. Join us.

Jobs