Security Analyst, Bug Bounty

About the Security Analyst, Bug Bounty Role at Shopify

We’re seeking an experienced Security Analyst to join Shopify’s security organization, focused on our Bug Bounty program operations.

Shopify powers millions of merchants worldwide—which means a large and dynamic attack surface. You'll work at the intersection of external researchers, internal engineering, and AppSec, turning vulnerability reports into clear, actionable findings that protect Shopify and its merchants. This role is equal parts security analysis, operational excellence, and high-quality communication.

Your key areas of ownership are:

• Bug bounty report triage quality and timeliness (meet SLOs, keep queues healthy, reduce rework).
• Reproducing and validating reported security issues (prove exploitability, confirm impact, confirm affected assets, confirm fixes via retest/validation).
• Writing clear, friendly, high-signal communication to external researchers while representing Shopify well.
• Maintaining meticulous internal documentation and context so issues can be routed and resolved efficiently.
• Using data to quantify performance and program health (queue state, SLOs, throughput, trend reporting).
• Partnering with AppSec engineering when a report requires deeper engineering expertise.

You will:

• Detect, evaluate, and help address security threats to Shopify and its merchants; develop security controls and protocols; perform security audits; conduct vulnerability assessments and penetration tests; assist in the creation and implementation of security solutions; help mitigate compliance and regulatory risks.
• Solve problems quickly and follow (and improve) the team’s playbooks.
• Be meticulous in documentation and context capture (so others can pick up work without losing time).
• Use data to investigate emerging risks/trends and translate them into repeatable solutions.
• Mentor teammates, raise the bar, and become the “go-to” expert in at least one area of the program (triage domain, vulnerability class, product area, tooling/workflows, etc.).

What You'll Need to Succeed

To be successful as a Security Analyst, Bug Bounty you will need:

• Strong written communication skills.
• A track record of fast, high-quality problem solving, with good judgment around impact, severity, and next steps.
• Comfort operating in externally-facing workflows with security researchers, representing Shopify professionally and consistently.
• Operational discipline: you follow playbooks, improve them when they’re wrong or incomplete, and turn “institutional knowledge” into documentation.
• High attention to detail in notes, reproduction steps, evidence, and decision rationale.
• A data-informed mindset: you use metrics to quantify your throughput and quality, track trends, and help improve program health over time.
• A growth-and-multiplication approach: you mentor teammates, raise the bar, and develop deep expertise in at least one domain (vuln class, product area, triage workflow/tooling).
• A strong sense of accountability: you take responsibility for the quality of your interactions and outcomes, and you’re ambitious about improving the security and experience we deliver.

Role-Specific Experience and Capabilities

• Strong working knowledge of web application security fundamentals (authn/authz, session management, injection, IDOR, SSRF, XSS, CSRF, access control, multi-tenant risk, etc.).
• Demonstrated ability to reproduce vulnerability reports reliably and communicate impact precisely.
• Experience doing vulnerability assessment and/or penetration testing (professionally or in a structured program).
• Strong judgment on severity/impact assessment and how to ask for additional info when needed.
• Comfortable working in operational queues and juggling multiple in-flight investigations without losing quality.

About Shopify

Opportunity is not evenly distributed. Shopify puts independence within reach for anyone with a dream to start a business. We propel entrepreneurs and enterprises to scale the heights of their potential. Since 2006, we’ve grown to over 8,300 employees and generated over $1 trillion in sales for millions of merchants in 175 countries.

This is life-defining work that directly impacts people’s lives as much as it transforms your own. This is putting the power of the few in the hands of the many, is a future with more voices rather than fewer, and is creating more choices instead of an elite option.

About You

Moving at our pace brings a lot of change, complexity, and ambiguity—and a little bit of chaos. Shopifolk thrive on that and are comfortable being uncomfortable. That means Shopify is not the right place for everyone.

Before you apply, consider if you can:

• Care deeply about what you do and about making commerce better for everyone
• Excel by seeking professional and personal hypergrowth
• Keep up with an unrelenting pace (the week, not the quarter)
• Be resilient and resourceful in face of ambiguity and thrive on (rather than endure) change
• Bring critical thought and opinion
• Put AI agents and tools to work on the tasks they're built for, and focus on the work only humans can do
• Embrace differences and disagreement to get shit done and move forward
• Work digital-first for your daily work

We may use AI-enabled tools to screen, select, and assess applications. All AI outputs are reviewed and validated by our recruitment team.

Key skills/competency

• Bug Bounty Program Management
• Security Analysis
• Vulnerability Triage
• Web Application Security
• Penetration Testing
• Technical Communication
• Operational Excellence
• Data-informed Decision Making
• Incident Reproduction
• Impact Assessment