Staff Security Researcher

About 1Password

1Password is experiencing unprecedented growth, having surpassed $400M in ARR and consistently earning a spot on the Forbes Cloud 100. We are building the foundation for a safe, productive digital future by enabling secure identity, application sign-in, and trusted device access. As pioneers in Extended Access Management and a market-leading enterprise password manager, we offer a human-centric approach to cybersecurity, trusted by over 180,000 businesses globally. If you are driven to contribute to digital safety, collaborate with a curious team, and solve complex problems in a dynamic environment, we encourage you to apply.

Role Overview: Staff Security Researcher

We are establishing a world-class security research program to enhance the security of 1Password's products and advance the broader identity security landscape. As a Staff Security Researcher, you will join this greenfield team as a senior individual contributor. Your role involves conducting deep, original vulnerability research across 1Password's product suite and the wider identity ecosystem. You will investigate emerging attack vectors, develop proof-of-concept exploits, responsibly publish your findings, and collaborate with engineering teams to implement mitigation and remediation strategies. Your contributions will directly influence our product security posture and elevate identity security standards across the industry.

As part of the Product Security organization, you will partner with various teams including Product, Engineering, Marketing, and security leaders to protect our customers and foster a safer digital future. You will also build strong relationships with the global security research community through technical publications, responsible disclosure, and collaborative dialogue.

This is a Remote opportunity within Canada and the US.

Key Responsibilities

• Vulnerability Research: Conduct original, hands-on research into application-level, protocol-level, and ecosystem-level vulnerabilities within 1Password’s products and the broader identity security landscape, discovering, validating, and documenting novel vulnerability classes and attack chains.
• Demonstrate Exploitability: Develop proof-of-concept exploits and attack demonstrations to validate research findings, illustrate real-world risk, and support engineering teams in understanding and prioritizing remediation efforts.
• AI & Agentic Security Research: Investigate security risks at the intersection of AI and identity, including prompt injection, data poisoning, and other AI-based attack vectors, addressing the emerging challenges of agentic security.
• Technical Publications & Thought Leadership: Author high-quality research publications, white papers, blog posts, and technical advisories, with opportunities to present findings on podcasts, webinars, and major security conferences.
• Standards Engagement: Contribute to standards bodies such as NIST, FIDO, and MCP, advancing 1Password’s involvement in shaping identity and security standards.
• Community Engagement: Actively engage with the global security research community through responsible disclosure, collaborative research, open-source contributions, and participation in industry forums/events.
• Cross-functional Collaboration: Partner with Product, Engineering, and Detection teams to translate research findings into actionable security improvements and provide evidence-based technical guidance.
• Mentorship: Mentor junior and mid-level security colleagues, sharing knowledge, reviewing research, and fostering a culture of curiosity and rigor across the security organization.

Qualifications

• 6+ years of progressive experience in security research, offensive security, or vulnerability research.
• Bachelor’s degree in Computer Science, Computer Engineering, Information Security, or a related field; or equivalent practical experience.
• Proven track record of discovering and responsibly disclosing original vulnerabilities, ideally with published CVEs, advisories, or equivalent publicly-recognized findings.
• Hands-on expertise in vulnerability research, exploit development, or advanced adversarial simulation techniques.
• Deep domain expertise across one or more of the following: application security, cryptography, access governance, identity protocols (SAML, OAuth, OIDC, SCIM, FIDO/WebAuthn), Linux/Windows/macOS system internals, AI/Agentic security, Web application security, or Mobile application security.
• Familiarity with prompt injection, data poisoning, AI design architecture, AI-based attacks, and related vectors.
• Proficiency in one or more programming languages such as Go, Rust, Python, Ruby, JavaScript/TypeScript, with the ability to read and audit code for vulnerabilities.
• Consistent history of handling vulnerabilities and disclosures responsibly and constructively engaging with vendors and the research community.
• A record of publications, conference presentations, vulnerability disclosures, or community contributions demonstrating thought leadership.
• Strong written and verbal communication skills, with demonstrated ability to produce technical publications, blog posts, and/or conference talks.

Key skills/competency

• Vulnerability Research
• Offensive Security
• Exploit Development
• Identity Protocols
• AI Security
• Application Security
• Cryptography
• Reverse Engineering
• Responsible Disclosure
• Technical Writing