Build and own the application security function from the ground up, ensuring our patient-facing platform is hardened against real-world threats before our first user logs in.

What you'll be primarily doing

Perform deep-dive manual security review of our Next.js/React 19 codebase, specifically targeting auth logic, business logic flaws, and data access patterns in server actions and API routes. Threat model critical user journeys (e.g., patient data access, practitioner authentication). Own the relationship with external security researchers. Implement and fine-tune SAST and SCA tooling to minimize noise and maximize signal. Partner with cloud engineers to triage and remediate findings from AWS Security Hub. Document and champion secure configurations for Vercel, Clerk, and our private networking setup.

What success looks like (outcomes only)

By month 3

• Critical account takeover class of vulnerability (e.g., insecure server actions) is verifiably eliminated from the Next.js codebase; root cause is addressed with a scalable, preventative control.
• A formal Responsible Disclosure Program is live, with a clear, respectful process for security researcher intake, triage, and communication.
• Automated security scanning (SAST/SCA) is integrated into the CI/CD pipeline, providing fast feedback to developers on critical findings.

By month 6

• A comprehensive threat model for the patient and practitioner portals is documented, has identified the top 5 risks, and is actively informing the security roadmap.
• Secure coding guidelines for our stack (Next.js, Server Actions, API routes) are established and have been adopted by the development team.
• The backlog of critical and high-severity findings in our cloud environment (AWS Security Hub, Config) has been reduced by at least 75%.

What we would love you to bring

• You’ve found, fixed, and explained critical web vulnerabilities (OWASP Top 10) in modern JavaScript frameworks (React/Next.js).
• You have a deep, practical understanding of authentication and authorization flows (JWTs, sessions, middleware) and, more importantly, how to break them.
• You are comfortable navigating cloud security tools (AWS Security Hub, GuardDuty, IAM Access Analyzer) to triage and advise on infrastructure findings.
• You have experience running or actively participating in a bug bounty or vulnerability disclosure program. You know how to talk to researchers.

What makes this a great opportunity

• Greenfield Security Ownership: This isn’t about maintaining a legacy program. You will build our application security function from scratch, establishing the tools, processes, and culture your way.
• Immediate, Critical Impact: Your work will directly protect sensitive patient and practitioner data from day one, forming the bedrock of our product's trustworthiness.
• A Modern, Interesting Stack: Secure a cutting-edge architecture (Next.js 15 on Vercel, serverless backends, PrivateLink) where the application layer is the true security frontier.
• Build it right, then fast: We obsess over quality and are giving you the mandate to build in the right security foundations before we scale.
• Interdisciplaniry, seasoned team: You’ll work directly with a physician-CEO (deep user-research mindset), a lawyer-COO (operations and compliance rigor), and a CTO with a decade in full-stack data science.