The Open Source Security Foundation (OpenSSF) has identified Rust as a “Critical Open Source Software Project”. The Rust Foundation’s mission is to steward the Rust Language through actively supporting the volunteer maintainers that develop and govern the Rust Project, and we're now looking for a Security Engineer to analyze the code and infrastructure-level security of the Rust Project and identify areas for improvement. The person in this role will have the opportunity to collaborate and communicate with the Rust Project as part of their routine work.

The Security Engineer will:

• Help ensure that Rust continues to be seen as a leading language in security, memory safety and speed across the developer community, as well as the business and government sectors.

• Establish a working relationship with the Rust Project maintainers, (especially with the Infrastructure Team and Security Response Working Group) in order to identify and prioritize key security issues and opportunities in the Rust landscape that have the potential to cause harm.

• Develop and implement security processes, policies, and practices within the Rust ecosystem that can ensure the long term security of Rust.

Responsibilities

Security Assessment, Planning and Implementation

• Conduct a security threat model of the Rust Project and relevant associated ecosystem spaces.

• Work directly with the Rust Foundation Infrastructure Engineer, the volunteer-run Rust Infrastructure Team and other relevant Project members to assess and improve the security in specified areas of the Rust Project infrastructure, for example, potentially crates.io.

• Assess, recommend and help implement improvements to the Rust Project infrastructure based on, for example, AWS Well-Architected Review or other types of analysis.

• Identify, responsibly disclose and fix security bugs and vulnerabilities within the Rust ecosystem to reduce security risk now and into the future.

• Analyze and triage 3rd-party vulnerability disclosures pertaining to the Rust ecosystem

Security Advocacy

• Advocate for better security practices within the Rust contributor and maintainer community by creating programs, developing resources and delivering content across Rust Projects.

• Work with stakeholders to coordinate and collaborate on existing security undertakings in the Rust ecosystem.

• Engage with security initiatives such as the OpenSSF and U.S. Open-Source Software Security Initiative Workshop to advocate for Rust’s role in developing secure and safe software.

• Collaborate with the Foundation and Rust Project to formulate and execute an action plan to designate Rust code (e.g., crates) as audited for security vulnerabilities (e.g., potentially similar to something like Mozilla’s cargo-vet).

• Work together with Foundation staff, potential funding partners, etc. on strategic planning that will improve the security of the Rust project and ecosystem in the medium and long term.

Skills/Experience

• Knowledge and experience as a security engineer or in the field of computer software security.

• Experience in finding security vulnerabilities in source code and developing proof-of-concept (PoC) exploits for common vulnerability types. Rust is preferred but not required.

• Experience disclosing security vulnerabilities in a thoughtful and responsible manner.

• Experience in programming and development in a professional environment. Rust is preferred, but not required.

• Experience in developer operations (DevOps), particularly as it pertains to best practices in securing infrastructure.

• Experience reviewing systems design and conducting threat modeling of those systems.

• Active experience of working/contributing within an open source project community, ideally the Rust Project or related Rust frameworks. Experienced in collaborating with a range of stakeholders, with the ability to empathize with different points of view, the ability to facilitate compromise, and adapt to fast changing or challenging situations.

Employment Details, Compensation & Benefits

• Compensation: $200k-$350k USD (experience-based).

• Salary/benefits to be agreed based on experience and local employment package norms.

• This role will be full-time for at least one year (independent contractor status will be considered if desired).

• This role will be performed remotely. Regular collaboration with US/EU time zones will be required.