• Lead and manage data incident response investigations and reporting under legal privilege, ensuring compliance with applicable regulatory requirements • Oversee and maintain the Privacy and Cyber SharePoint site, risk metrics, and control tower to ensure proper documentation and tracking • Collaborate with cybersecurity subject matter expert (SME) on NIST 800-171, and Cybersecurity Maturity Model Certification 2.0 (CMMC) to support cyber legal counsel • Review purchase orders and subcontract terms and conditions to ensure compliance with company policies, procedures, internal guidance, and legal requirements, including the FAR and DFARS • Collaborate with Supply Chain personnel, and members of LCC and Program Counsel to conduct contract reviews, with a focus on privacy and cybersecurity contract terms • Conduct privacy impact assessments and regular compliance-related risk assessments and develop and implement action plans • Brief on areas of concern to all levels of the business including at times senior leadership

This description is a summary of our understanding of the job description. Click on 'Apply' button to find out more. Role Description Our Product Security team is a dynamic blend of proactive defenders and inquisitive problem-solvers. We are dedicated to strengthening our systems through rigorous security reviews and hands-on penetration testing, and we actively manage our Bug Bounty program to ensure timely validation, response, and remediation. We leverage cutting-edge tools and techniques to build robust defenses, and collaboration is central to how we work; embedding security best practices throughout the SDLC. We continuously research emerging threats, develop effective mitigation strategies, and empower engineering teams through clear guidance and practical security training. We maintain up-to-date security standards and documentation, lead incident response efforts with precision, and are passionate about spreading a secure-by-design culture while contributing to the wider security community. What You Will Do - Conduct threat modelling reviews of Technical Design Documents (TDDs) for new and existing features, providing clear, actionable security recommendations early in the design process. - Perform and support application security assessments, including penetration testing, vulnerability assessments, and proof-of-concept (PoC) development where appropriate. - Investigate, triage, and respond to Bug Bounty program submissions, validating findings and working with engineering teams to drive timely remediation. - Own and continuously improve application-layer protections, including managing and tuning Cloudflare WAF and related security controls. - Partner closely with engineering teams to embed security best practices throughout the SDLC, from design and development through deployment and maintenance. - Research and track emerging threats and vulnerabilities, translating findings into practical mitigation strategies relevant to our technology stack. - Develop and deliver security guidance, training, and awareness for engineering teams to raise the overall security maturity of the organization. - Contribute to the creation, maintenance, and evolution of security standards, processes, and documentation. - Participate in and eventually lead incident response activities, supporting investigation, containment, remediation, and post-incident improvements. Qualifications - You have developed a breadth of experience across multiple security domains, including web and mobile application security, infrastructure and cloud security. - You have hands-on experience performing white-box, source code-assisted web and mobile application penetration testing, from vulnerability discovery through triage and exploitation. - You have the ability to read, understand, and review source code to identify security issues, with ideally, a particular focus on JavaScript and TypeScript codebases. - You have a strong understanding of Threat Modelling principles and their practical application to the secure software development lifecycle (SDLC). - You have experience working with web application firewalls to help protect applications, assess coverage, and support tuning rules to mitigate common attack patterns. - You have experience embedding application security practices into CI/CD pipelines, enabling early detection of vulnerabilities and close collaboration with engineering teams throughout the development lifecycle. - You have collaborated closely with engineering teams to clearly communicate security findings, explain vulnerabilities, attack paths, and mitigations, and support the implementation of effective fixes for both technical and non-technical audiences. - You are self-motivated, proactive, and take strong ownership of your work, operating effectively in a remote environment while maintaining a collaborative, team-focused mindset. Nice-to-have experience - You have experience in JavaScript and TypeScript, including the ability to read, understand, and reason about modern web application codebases. - You have experience working with Cloudflare, including its hosting and Web Application Firewall (WAF) capabilities, to help secure and operate internet-facing applications. - You have experience testing and securing GraphQL, REST APIs, including understanding common GraphQL/REST-specific attack vectors and security considerations. - You have experience or a strong interest in Web3 security testing, including assessing smart contracts, blockchain-based applications, or Web3 integrations. - You have an interest in agentic engineering, including emerging patterns in autonomous systems, tooling, or workflows, and their security implications. Bonus Points - You contribute or have contributed to the security community through open source involvement, participation in CTFs, or speaking at local information security meetups and conferences. - Your background includes experience working with disruptive technologies and successfully launching products, ideally within FinTech, SaaS, or Crypto. - You hold one or more security relevant certifications such as OSCP or OSWE. Benefits - Competitive salary package - Equity package: We believe financial freedom starts with our employees, so all employees have ownership at MoonPay - Pay for performance equity bonus: Those who drive outsized outcomes receive outsized rewards - Moonshot award: We honor exceptional impact - 10 employees twice a year, each earning a $250,000 equity grant. - Unlimited holidays: We give you the autonomy to choose when to work (and when to switch off) - Hybrid working schedule: Work fully remotely or your nearest Moonbase, the choice is yours - Private Healthcare benefits: To protect you and your loved ones - Enhanced parental leave: So you can spend more time with your loved ones without a second thought - Annual training budget: We support your training journey every step of the way - Home office setup allowance: Create the home office of your dreams - Remote working allowance: Those working fully remotely get a little extra for utilities - Monthly budget to spend on our products and zero fee crypto transactions: Cultivate your inner DEGEN - Employee referral programme: Great people know great people, refer them to receive 10K in USDC - Regular remote company offsites: Meet your colleagues regularly for high impact in person sessions and hackathons - Working in a disruptive and fast-growing company where excellence is rewarded Commitment To Diversity At MoonPay we believe that every voice matters. We strive to create a mindful and respectful environment where everyone can bring their authentic self to work, and experience a culture that is free of harassment, racism, and discrimination. That’s why we are committed to diversity and inclusion in the workplace and are a proud equal opportunity employer. We prohibit discrimination and harassment of any kind based on race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, protected veteran status or any other characteristic protected by law. This policy applies to all employment practices within our organization, including, but not limited to, hiring, recruiting, promotion, termination, layoff, and leave of absence. MoonPay is also committed to providing reasonable accommodations in our job application procedures for qualified individuals with disabilities. Please inform our Talent Team if you need any assistance completing any forms or to otherwise participate in the application process.

• Own and scale XBOW’s Developer & Security Relations programs across vulnerability disclosure, researcher engagement, and developer community initiatives • Design and manage programs that support responsible disclosure, external researcher collaboration, and coordination with customers and partners • Partner closely with Security Research to operationalize external research engagement, including triage, validation, and communication workflows • Collaborate with AI Engineering and Product teams to surface meaningful technical insights and research outputs for external audiences • Work with Product Marketing and Content teams to translate research and platform capabilities into credible, developer- and researcher-facing narratives • Build and maintain relationships with key members of the security research and developer communities • Develop technical content strategies in partnership with content teams, including blogs, research write-ups, technical explainers, and program documentation • Support and shape XBOW’s presence in vulnerability disclosure ecosystems, bug bounty platforms, and security research communities • Create repeatable programs that drive awareness, trust, and adoption among developers, security practitioners, and researchers • Define success metrics for DevRel and SecRel programs, including engagement, research participation, program throughput, and ecosystem impact • Represent XBOW in technical forums, private briefings, and community conversations as a credible and trusted voice

• Act as a liaison for the designated site, assisting with compliance to GE Vernova’s (GEV) EHS programs and requirements • Conduct regular occupational safety inspections at the designated site • Perform field visits to verify EHS conditions and provide guidance to site teams • Deliver EHS training and onboarding as required • Support the site team in adopting best practices from other locations • Contribute to investigations and analyses of all accidents, incidents or hazardous situations • Prepare and analyze internal and external EHS reports • Coordinate GE Vernova’s EHS programs at the site and assist the team with their implementation • Ensure the site has identified all applicable legislation or standards and understands the requirements to achieve compliance • Monitor the Partner’s EHS performance and execution, providing support when improvements are needed