The Opportunity

As a Staff Security Engineer, PSIRT Lead, you will stand up and run Flock's Security Incident Response Team (PSIRT) as the single point of accountability for every externally-reported and internally-discovered vulnerability that touches a Flock product. Coordinating with teams about fixes happens as much as coordinating with your security counterparts for security validation.

You will be the operational owner of our newly established CNA, the technical owner of our Coordinated Vulnerability Disclosure (CVD) program, and the cross-functional coordinator who drives fixes to closure across Hardware, Firmware, Device SRE, Cloud SRE, Mobile, ML, Legal, Comms, and Customer Support.

This is an individual contributor role with no direct reports. You will lead by influence across engineering, legal, communications, and support, setting the SLAs, the metrics, the playbooks, and the public security advisories that the rest of the company executes against.

While you will partner closely with our Detection & Response team and Corporate Security, PSIRT is distinctly product-focused: every cycle you spend should reduce risk for the devices in the field and the customers who depend on them.

The Skillset

• 7+ years in security engineering with at least 4 years directly running or leading a PSIRT, product security, or coordinated vulnerability disclosure function. Experience at a company that ships connected hardware (LPR/IP cameras, ICS/OT, automotive, medical, or networking gear) is highly preferred.
• Demonstrated end-to-end ownership of the FIRST PSIRT Services Framework v1.1 service areas (Stakeholder Ecosystem, Discovery, Triage, Remediation, Disclosure). You can talk credibly about how you implemented each in a previous role.
• Hands-on operational experience acting as a CVE Numbering Authority (CNA) or leading the technical onboarding of one. Deep knowledge of CNA Operational Rules v4.x, CVE scope definition, and root coordination (CISA ICS-CERT, MITRE).
• Deep familiarity with ISO/IEC 29147 (disclosure), ISO/IEC 30111 (handling), the CERT/CC Guide to CVD, and CISA Binding Operational Directive 20-01.
• Strong technical understanding across product security, with deep operational experience in at least three of the following (areas 1 and 2 are highly prioritized):
  
  • Embedded/Firmware Security (Secure boot, hardware root of trust, UART/JTAG/USB attack surfaces, OTA integrity).
  • Linux/Android Device Security.
  • Cloud Security on AWS (IAM, EKS, federation, secrets management).
  • Mobile/Web App Security (OWASP Top 10, GraphQL, authn/authz).
  • ML/CV Model Security (Adversarial inputs, data poisoning, extraction).
• Fluent with CVSS v3.1/v4.0, CWE classification, EPSS, and SSVC frameworks. You can defend a severity decision in front of an engineering VP and an external researcher in the same week without changing your story.
• Exceptional written skills. You can draft a sharp, customer-facing security advisory, a precise CVE record, an internal postmortem, and a board-level executive summary of the same event-tailoring the tone perfectly to each audience.
• Ability to obtain and maintain CJIS certification as a condition of employment.

Feeling uneasy that you haven't ticked every box? That's okay; we've felt that way too. Studies have shown women and minorities are less likely to apply unless they meet all qualifications. We encourage you to break the status quo and apply to roles that would make you excited to come to work every day.

90 Days at Flock

We prescribe to 90 day plans and believe that good days lead to good weeks, which lead to good months. This serves as a preview of the 90 day plan you will receive if you were to be hired in this role at Flock.

The First 30 Days

• The First 30 Days
  
  • Assess the existing security and incident response landscape across our product and infrastructure ecosystem.
  • Establish relationships with key cross-functional stakeholders across Engineering, Product, Legal, Communications, Customer Support, and Operations to define a collaborative incident response matrix.
  • Draft a baseline Security Incident Response Team (PSIRT) operating model; including intake channels, triage SLAs, severity rubrics, and disclosure policies for leadership review.

The First 60 Days

• Complete onboarding with relevant vulnerability management authorities and validate the end-to-end workflow by successfully processing an initial identifier assignment.
• Establish central tracking workflows and documentation templates to streamline and automate the logging, remediation, and reporting of security findings.

90 Days & Beyond

• Manage response operations against established SLAs, tracking key metrics like time-to-triage, time-to-fix, and time-to-disclose, and deliver regular performance updates to leadership.
• Execute coordinated public security advisories when necessary, ensuring patches, customer communications, and public disclosures are seamlessly synchronized.

Salary & Equity

In this role, you'll receive a starting salary between $185,000 and $230,000 as well as Flock Stock Options. Base salary is determined by job-related experience, education/training, as well as market indicators. Your recruiter will discuss this in-depth with you during our first chat.

Location

We're building the impossible, together. To drive innovation through in-person collaboration, we're prioritizing candidates in our key hubs: Atlanta, Boston, Chicago, Denver, Los Angeles, New York City, San Francisco, and Austin. While we value the energy of our hub communities, we embrace remote work and welcome applications from exceptional talent across the United States.

The Perks

Flexible PTO: We offer non-accrual PTO, plus 11 company holidays.

Fully-paid health benefits plan for employees: including Medical, Dental, and Vision and an HSA match.

👪Family Leave: All employees receive 12 weeks of 100% paid parental leave. Birthing parents are eligible for an additional 6-8 weeks of physical recovery time.

Fertility & Family Benefits: We have partnered with Maven, a complete digital health benefit for starting and raising a family. Flock will provide a $50,000-lifetime maximum benefit related to eligible adoption, surrogacy, or fertility expenses.

Spring Health: Spring Health offers a variety of mental health benefits, including therapy, coaching, medication management, and digital tools, all tailored to each individual's needs.

💖Caregiver Support: We have partnered with Cariloop to provide our employees with caregiver support

Carta Tax Advisor: Employees receive 1:1 sessions with Equity Tax Advisors who can address individual grants, model tax scenarios, and answer general questions.

ERGs: We want all employees to thrive and feel like they belong at Flock. We offer four ERGs today - Women of Flock, Flock Proud, LEOs and Melanin Motion. If you are interested in talking to a representative from one of these, please let your recruiter know.

WFH Stipend: $150 per month to cover the costs of working from home.

Productivity Stipend: $300 per year to use on Audible, Calm, Masterclass, Duolingo and so much more.

Home Office Stipend: A one-time $750 to help you create your dream office.

If an offer is extended and accepted, this position requires the ability to obtain and maintain Criminal Justice Information Services (CJIS) certification as a condition of employment.