Hashgraph is hiring a

Web3 Product Security Engineer

About Hashgraph:
Hashgraph is a fast-growing software company committed to supporting, developing and servicing Hedera, an open source, proof-of-stake platform. Hedera is EVM-compatible and has been specifically built to meet the needs of enterprise and Web3 applications, which require speed, security, stability and sustainability. Hedera’s public network is governed by industry-leading organizations, spanning 11 sectors and 14 regions who oversee the development and direction of the decentralized platform.

You may find yourself doing all of the following:

• Conduct comprehensive product security assessments of blockchain-based systems, with a strong focus on Web3 security, smart contracts, and protocol-level risks
• Design and write malicious smart contracts and adversarial test cases to exploit and identify vulnerabilities in Hedera Blockchain and EVM-compatible systems
• Develop, implement, and continuously improve security strategies, architectures, and best practices for Hedera blockchain protocols, smart contracts, bridges, and associated services
• Partner closely with engineering teams to embed security into design, development, and deployment workflows
• Design and execute penetration testing, threat modeling, and vulnerability assessments across blockchain networks, nodes, APIs, and supporting infrastructure
• Identify, track, and stay ahead of emerging blockchain and Web3 threats, exploits, and attack patterns; provide actionable mitigation guidance
• Build and contribute to security tooling, frameworks, and automation tailored for blockchain environments, including CI/CD integrations
• Leverage AI/LLMs and automation to enhance product security reviews, vulnerability discovery, threat modeling, and security testing workflows
• Assist in incident response and post-incident analysis related to blockchain security events, including root cause analysis and remediation guidance
• Educate engineers and internal stakeholders on blockchain security principles, secure coding practices, and real-world attack scenarios
• Participate in and contribute to security awareness and secure development training programs across the organization

Qualification Requirements:

• Must be available to work within the EU time zones
• Bachelor’s or Master’s degree in Computer Science, Information Security, Cryptography, Blockchain, or a related field (or equivalent practical experience)
• 8+ years of experience in product security, application security, or penetration testing, including 2+ years focused on blockchain security, smart contract auditing, or Web3 security
• Solid understanding of EVM internals, smart contract execution, and common Web3 architectures; knowledge of Hedera Blockchain is a strong plus
• Deep knowledge of Web3 technologies and protocols, such as Ethereum, gossip-based networks, IPFS, and related decentralized systems
• Proven experience with blockchain-specific security assessment tools, methodologies, and manual testing techniques
• Strong understanding of blockchain attack vectors and vulnerability classes, including gas fees, authorization control flaws, fungible and non-fungible tokens issues, and bridge exploits
• Working knowledge of cryptographic principles and protocols relevant to blockchain systems (hashing, signatures, key management, consensus assumptions)
• Hands-on experience with static analysis, dynamic analysis, fuzzing, and custom security testing tools
• Strong understanding of secure coding practices, particularly in Java and Rust
• Excellent analytical, problem-solving, and communication skills, with the ability to collaborate effectively across engineering and product teams
• Programming experience and understanding code in any language. 

Other skills that are great to bring with you but that we can help you develop:

• Industry-recognized security certifications such as OSCP, OSEP, OSWA, OSWE; blockchain security certifications are a plus
• Experience in bug bounty programs, security research, CVE publications, red teaming, or attack surface management
• Red Team experience, ideally in web3
• Experience securing or operating systems in cloud environments (AWS, GCP, Azure), including IAM and key management
• Proficiency in scripting and general-purpose programming languages such as Python, Bash, or PowerShell for tooling and automation
• Experience with containerization and orchestration technologies (Docker, Kubernetes) and their associated security best practices
• Familiarity with DevSecOps pipelines, CI/CD security controls, and infrastructure-as-code security
• Coding experience in Java, Rust, and/or Python
• AI tool building