About Opendoor
At Opendoor our mission is to tilt the world in favor of homeowners and those who aim to become one. Homeownership matters. It's how people build wealth, stability, and community. It's how families put down roots, how neighborhoods strengthen, how the future gets built. We're building the modern system of homeownership giving people the freedom to buy and sell on their own terms. We’ve built an end-to-end online experience that has already helped thousands of people and we’re just getting started.
About the Role
At Opendoor our goal is to build the biggest, most trusted housing platform and set a new
standard for how people move. We've combined our deep, proprietary data and operational
expertise with the power of artificial intelligence to make online home selling and buying
radically simple.
Our Security Engineering team is building intelligent systems that protect Opendoor and our
customers while enabling unprecedented engineering velocity. We apply software engineering
and AI to solve security problems across product, infrastructure, and operations by building
guardrails where they matter, not gates where they don't.
As our Application Security Engineer, you'll own the security of everything we ship — from the
consumer flows that put cash offers in homeowners' hands, to the GraphQL APIs that power our
products, to the AI agents and vibe-coded tools our engineers and operators build every week.
You'll be the technical owner of how we find, fix, and prevent application-layer risk at Opendoor
scale.
What You'll Do
● Find and fix application vulnerabilities across our consumer products, internal admin
tools, and the GraphQL APIs powering home acquisition, resale, mortgage, title, and
escrow.
● Own and evolve our AppSec tooling stack — SAST/DAST, SCA and secrets scanning —
and integrate findings into developer workflows where engineers already live (pull
requests, Linear, Slack).
● Run our HackerOne program: triage incoming reports, validate exploits, route fixes to
product engineering teams, and determine root causes so we can stamp them out at the
source.
● Lead threat modeling and security design reviews for new services, APIs, and mobile
features — and turn the patterns you see into rules, lint checks, and CI guardrails so the
next team doesn't make the same mistake.
● Build AI agents and automated workflows that triage vulnerability reports, validate exploit
reproductions, and draft remediation PRs — replacing manual security review with
high-signal automation.
● Partner with engineering teams to harden authentication, authorization, and input
validation across our Ruby monolith and Go/Python/TypeScript services, including the
GraphQL gateway (Apollo) and our EKS workloads - while driving a shift-left strategy to
identify vulnerabilities earlier in the development lifecycle.
● Stand up a credible offensive security capability — internal pentesting, red team
exercises, and adversarial analysis of high-risk flows (wire fraud, agent unlocks, identity
verification) -- leveraging purple team exercises to ensure offensive findings are directly
translated into hardened detection and response capabilities.
● Set the bar for what "secure by default" looks like for AI-maximalist engineering,
including vibe-coded apps, MCP servers, and agent-driven workflows that touch
production data.
● Mentor engineers across the company in secure design, code review, and how to think
like an attacker
Tech Stack
● Languages: Go, Python, TypeScript, Ruby, Terraform
● Cloud: AWS, GCP, Azure, Kubernetes / EKS
● AppSec Tooling: GitHub Advanced Security (CodeQL, Dependabot, secret scanning),
Semgrep, HackerOne, Burp Suite, Cloudflare WAF
● AI Tooling: Claude, OpenAI, various agent frameworks, MCP — used heavily for vuln
triage, exploit verification, and remediation drafting
What You'll Need
● Deep conviction that AI and automation should eliminate manual work humans shouldn't
be doing anyway. You're excited to replace developer toil and reactive vuln triage with
automated systems, guardrails, and agents.
● Business enablement security mindset — you measure success by business impact and
informed risk-taking, not by tickets opened or pen test reports filed.
● 5+ years of application security or software engineering experience with a security focus,
with strong skills in at least one of Python, Go, TypeScript, or Ruby — and the ability to
read and write code across the others.
● Hands-on expertise across the SAST/DAST/SCA toolchain, with real deployment
experience using GitHub Advanced Security, Semgrep, or equivalent.
● Strong grasp of common application vulnerability classes (OWASP Top 10, OWASP API
Security Top 10), with particular fluency in GraphQL, REST, and gRPC security pitfalls —
broken authorization, mass assignment, introspection exposure, IDORs.
● Practical threat modeling skills — you can take an architecture diagram and a 30-minute
conversation and walk out with the three things that actually matter.
● Experience with cloud and container security on AWS and Kubernetes, including IAM,
secrets management, and CI/CD pipeline security.
● Humility and genuine curiosity — you're as excited to learn from product engineers and
enable their work as you are to break things.
Bonus Points For
● Offensive security experience — pentesting web apps, APIs, or mobile, and/or red team
operations.
● Experience running a bug bounty or coordinated disclosure program at scale.
● Mobile application security review experience (iOS and Android).
● Experience securing AI/ML pipelines, agent frameworks, or MCP-style integrations.
● OSCP, OSWE, or similar offensive certifications.
#LI-RO
