Security Researcher

Vulnerability Research Position

We're looking for individuals with exceptional talent in vulnerability research, web security, cryptography, and/or reverse engineering—people who can find bugs no one else can.

About Us

We do the best security reviews in the world. Our clients include Polymarket, Canonical, Protonmail, Cognition, and the Solana Foundation. Before Zellic, we previously founded perfect blue, the #1 CTF team in 2020, 2021, and 2023 as part of Blue Water. We are an employee-owned company. We're consistently profitable, with a team of 50+ and growing (mostly CTF players). We value steady, long-term success over short-term gains.

What You'll Do

You'll work alongside the best hackers in the world. Day-to-day, that means:

• Auditing client code across a wide range of challenging targets—compilers, virtual machines, web apps, databases, circuits, proof systems, and more
• Writing clear, professional reports that explain vulnerabilities and their impact
• Keeping up with new attacks, techniques, and research
• Contributing to Zellic's public research through blog posts and, optionally, conference talks

Qualifications

You should be strong in at least one of these areas:

• Pwn. Finding and exploiting vulnerabilities in native software. You know the AFL++ command line parameters by heart. We especially value browser exploitation, kernel exploitation, or virtual machine escapes.
• Web. Breaking web applications. You believe CSP stands for "Client Side Puzzle". You find and abuse logic bugs and design flaws. You have a track record as a bug bounty veteran.
• Cryptography. Attacks, protocol design, and secure implementation. You enjoy diving into and reimplementing a paper. Strong math background paired with broad knowledge of important primitives. Knowledge of hash-based crypto or lattices is a plus.
• Reverse Engineering. Decompilation, program analysis, formal methods, and programming languages. You love Z3 and SSA form. You can take apart anything and aren't afraid to tackle an obfuscated VM.
• Misc. You intimidate software into finding bugs in itself, simply by looking at it.

Other Nice-To-Haves

• A healthy dose of skepticism and the ability to think independently and critically
• An interest in finance or blockchain is welcome but not required. Many of our hires have no prior blockchain experience.

What You'll Like About Us

• Ask your friends. You probably know someone who's working or has worked here.
• Flexible hours, remote work, and both full-time and part-time opportunities. We have a NYC office you can visit as much (or as little) as you'd like.
• Competitive salaries, with two major bonuses per year
• Direct equity participation
• Paid travel to two security conferences per year
• A complete benefits package. Among other perks, our team enjoys multiple fully-funded offsites each year. Past locations include Japan, France, and Bali.

Full-time roles include all of the above. Benefits vary for part-time roles.

Culture

• Calling All Hackers
• The Auditooor Grindset

To be considered for this role, please apply at:

Once we receive your application, we'll be in touch if we're interested.