Application Security Engineer, AI-Assisted Vulnerability Management
Eclipse Foundation · European Union
- Hybrid
- Contract
- $120,000 / year
- European Union
This role may have been filled. Drop your résumé and we'll check if it's still open — or find you similar roles.
Job highlights
- Design AI-assisted vulnerability management workflows.
- Build and integrate security analysis pipelines.
- Collaborate with open source project maintainers.
- Identify and remediate security vulnerabilities at scale.
- Improve security discovery and remediation processes.
About the role
About Eclipse Foundation
The Eclipse Foundation is one of the world’s largest open source software foundations, with a proven track record of enabling developer-focused open source innovation earned over 19 years. The Foundation is the home of numerous industry-leading projects and collaborations including Adoptium, Software Defined Vehicle, Eclipse IDE, IOT and Jakarta EE. Supported by over 350 members globally, the Foundation has an established international reach and reputation.The Role
We are looking for an Application Security Engineer to design, build, and operate AI-assisted vulnerability management workflows across Eclipse Foundation open source projects. This role combines application security, security automation, and practical use of large language models to help identify, triage, and remediate vulnerabilities at a scale that would be difficult to achieve manually. This is not a role focused on casually prompting a chatbot. You will build pipelines, integrate AI-assisted analysis into developer and CI/CD workflows, evaluate findings critically, reduce false positives, and collaborate with project maintainers to land real fixes. The goal is to deliver measurable improvements in how the Foundation discovers, prioritizes, and resolves security issues across its project portfolio.Location and Term
This is an initial 12-month fixed-term role, fully remote and open to candidates located in the European Union, Canada, and the United States. Depending on organizational needs, funding, performance, and mutual fit, there may be an opportunity for renewal or transition to an ongoing/permanent position.Responsibilities
- Design and implement pipelines that use large language models, AI-assisted code analysis, and traditional security tools to scan Eclipse projects for vulnerabilities, including code-level flaws, dependency risks, and misconfigurations.
- Create workflows that separate true positives from noise, prioritize findings based on severity and exploitability, and produce actionable reports for project teams.
- Work with project maintainers to propose fixes, submit pull requests, and validate that vulnerabilities have been properly resolved.
- Benchmark AI-assisted approaches against traditional SAST, DAST, SCA, and dependency-scanning tools. Measure false-positive rates, assess usefulness, and continuously refine prompts, retrieval strategies, evaluation methods, and model or tool selection.
- Help define safe and appropriate use of AI tooling, including the handling of sensitive vulnerability information, project source code, disclosure timelines, and data-sharing constraints.
- Produce internal playbooks, technical write-ups, and metrics dashboards so the security team can sustain and extend this work over time.
- Participate in vulnerability disclosure processes, CVE management, and security advisories as needed.
Success in This Role
Success in this role means helping the Eclipse Foundation improve the speed, accuracy, and consistency of vulnerability discovery and remediation. This includes reducing triage time, improving true-positive rates, increasing the number of actionable findings delivered to projects, and helping maintainers land verified fixes. The role requires careful human review of AI-generated findings before they are shared with maintainers. We value accuracy, reproducibility, and respectful collaboration over the volume of reports produced.Education
A degree in software engineering, computer science, cybersecurity, or a related field is welcome. Equivalent practical experience is also highly valued. Relevant certifications are considered an asset but are not required.Desired Skills and Experience
We are looking for someone who is curious, pragmatic, and service-oriented. The successful candidate will be comfortable investigating technical issues, asking thoughtful questions, documenting work carefully, and helping others understand and address security risks. This role requires someone who can operate with a high level of trust, communicate calmly during security events, and balance security priorities with the realities of a collaborative, mission-driven open source environment. You should be comfortable working with distributed teams and contributing to a culture where security enables participation, transparency, and resilience. You should also be comfortable communicating with volunteer and professional maintainers in a constructive, respectful, and actionable way.Must-Have Qualifications
- Strong application security background, including familiarity with common vulnerability classes such as OWASP Top 10 and CWE, secure coding practices, and practical exploitability analysis.
- Hands-on experience conducting security code reviews, audits, or assessments using SAST, DAST, SCA, dependency scanning, or other code analysis tools.
- Ability to build and integrate developer-facing tooling using languages such as Python, Java, TypeScript, or similar.
- Practical experience applying LLMs or AI-assisted tools to code analysis, vulnerability research, developer productivity, or security automation.
- Ability to evaluate AI-generated findings critically, measure false positives, and design human-in-the-loop review workflows.
- Familiarity with open source development workflows, including Git, GitHub or GitLab, pull requests, issue tracking, and CI/CD.
- Strong written communication skills, including the ability to write actionable security findings, advisories, issues, and remediation guidance for maintainers with varying security backgrounds.
Nice-to-Have Qualifications
- Experience contributing to or maintaining open source projects.
- Familiarity with the Eclipse Foundation ecosystem, including projects such as Eclipse IDE, Jakarta EE, Adoptium, Eclipse Mosquitto, or Software Defined Vehicle.
- Experience with tools such as CodeQL, Semgrep, GitHub Advanced Security, osv-scanner, Trivy, Grype, Syft, Dependabot, or similar.
- Background in prompt engineering, retrieval-augmented generation, or model evaluation for code-related tasks.
- Experience with vulnerability disclosure and CVE processes.
- Knowledge of software supply-chain security practices and technologies such as SBOM, Sigstore, SLSA, OSV, or OpenSSF Scorecard.
- Experience building dashboards, metrics, or reporting workflows for security programs.
Working Style
We are looking for someone who values practical impact over theoretical findings. You should be comfortable working across many projects, dealing with incomplete information, validating results carefully, and communicating findings in ways that help maintainers take action. This role requires good judgment, discretion with sensitive vulnerability information, and the ability to balance security urgency with open source community realities.Compensation and Benefits
We offer highly competitive compensation along with a comprehensive benefits package. We thank all applicants for their interest; however, only those to be interviewed will be contacted. For more information about Eclipse Foundation, please visit our website at https://eclipse.org/Accessibility
Eclipse respects the dignity and independence of people with disabilities, and is committed to providing accommodation and support to persons with disabilities throughout any recruitment process, once made aware of a need for accommodation. If you require any special accommodation or support during the recruitment process, please indicate in your email to us.Key skills/competency
- Application Security Engineer
- AI-Assisted Vulnerability Management
- Open Source Security
- Security Automation
- Large Language Models (LLMs)
- Vulnerability Triage
- CI/CD Integration
- SAST/DAST/SCA
- Secure Coding Practices
- Python/Java/TypeScript
Skills & topics
- Application Security Engineer
- AI
- Vulnerability Management
- Open Source
- Security Automation
- LLM
- Code Analysis
- CI/CD
- Python
- Cybersecurity
How to get hired
- Tailor your resume: Highlight application security, AI/LLM experience, and open source contributions.
- Showcase technical skills: Emphasize Python, Java, TypeScript, and security tools like SAST/DAST/SCA.
- Demonstrate collaboration: Provide examples of working with developers on security fixes.
- Understand open source: Familiarity with Git, pull requests, and CI/CD is crucial.
- Highlight AI/LLM use: Detail practical applications in security automation or analysis.
Technical preparation
Master Python for scripting security tools.,Practice SAST/DAST/SCA tool usage.,Build LLM prompts for code analysis.,Familiarize with Git and CI/CD workflows.
Behavioral questions
Describe a complex security issue you resolved.,How do you handle sensitive vulnerability data?,Explain a time you collaborated with developers.,How do you balance security with project needs?
Frequently asked questions
- What is the role of AI in this Application Security Engineer position at Eclipse Foundation?
- This Application Security Engineer role at Eclipse Foundation leverages AI, specifically large language models (LLMs), to automate and enhance vulnerability management. You will build pipelines that use AI for code analysis, vulnerability identification, and triage, aiming to improve the scale and efficiency of security processes across open source projects.
- What are the key responsibilities for an Application Security Engineer at Eclipse Foundation?
- Key responsibilities include designing and implementing AI-assisted vulnerability management pipelines, creating workflows to prioritize findings, collaborating with project maintainers on fixes, benchmarking AI tools against traditional methods, defining safe AI tooling usage, and producing documentation and metrics for the security team.
- What technical skills are essential for this Application Security Engineer role?
- Essential technical skills include a strong application security background (OWASP Top 10, CWE), experience with SAST, DAST, SCA tools, proficiency in languages like Python, Java, or TypeScript, practical experience with LLMs for code analysis, and familiarity with open source development workflows (Git, CI/CD).
- Is experience with open source projects required for the Application Security Engineer role at Eclipse Foundation?
- Familiarity with open source development workflows, including Git, GitHub/GitLab, pull requests, and CI/CD, is a must-have qualification. While direct contributions to open source projects are a 'nice-to-have', understanding how these projects operate is crucial for success in this role.
- What is the work arrangement and location for this Application Security Engineer position?
- This is a fully remote, initial 12-month fixed-term role. Candidates can be located in the European Union, Canada, or the United States. There is potential for renewal or transition to an ongoing position based on performance and organizational needs.
- How does Eclipse Foundation approach vulnerability disclosure for its open source projects?
- The Application Security Engineer will participate in vulnerability disclosure processes, CVE management, and security advisories. The role emphasizes careful human review of AI-generated findings before sharing with maintainers, valuing accuracy and reproducibility in collaboration with project teams.
Similar roles
Open positions we recommend based on this role.