Polymarket
prediction market platform
ApplicationSecurityEngineer
Neural analysis suggests this role is
optimal for Mid candidates.
“Application Security Engineer at Polymarket. Skills: Application Security, SDLC Security, Penetration Testing, Secure Code Review, SAST/DAST/SCA Tooling, Threat Modeling. Own the application security program across the SDLC — from design review through deployment. Conduct threat modeling on new features and architectural perform security design reviews and code reviews on high-risk changes”
What You'll Achieve.
identify and fix vulnerabilities before they reach production; make secure development the default; lead hands-on security assessments of our externally-facing platform; raise the security bar without becoming a bottleneck
Industry & Context.
What They're Looking For.
Must Have
3+ years of hands-on application security experience — penetration testing, secure code review, or a dedicated AppSec engineering role, proficiency identifying and exploiting OWASP Top 10, experience assessing modern web applications and API architectures, Experience deploying and operating SAST, DAST, and SCA tooling (Semgrep, Snyk, Burp Suite, or equivalent), Ability to read and write code in at least one common backend language (Python, Go, TypeScript, or similar) to conduct meaningful code review, Experience conducting or managing penetration tests against web applications and REST/GraphQL APIs, Solid understanding of authentication and authorization patterns: OAuth 2. 0, JWT, session management, RBAC, and common weaknesses in each, Clear written communication — able to write findings that developers actually read and act on
Nice to Have
Experience with a bug bounty platform (HackerOne, Bugcrowd, or equivalent) as an operator, Familiarity with smart contract security, blockchain transaction flows, or Web3 threat models, Experience securing financial transaction systems — payment flows, fraud vectors, double-spend risks, Security certifications: OSCP, GWAPT, GWEB, or equivalent, Exposure to AWS application-layer security services: WAF, API Gateway, Cognito, Shield, Prior experience building or scaling a security champions program inside an engineering organization
What You'll Do.
Own the application security program across the SDLC — from design review through deployment
Conduct threat modeling on new features and architectural perform security design reviews and code reviews on high-risk changes
and SCA toolchain — selection
and CI/CD integration
Triage and prioritize automated scanner output
Conduct manual penetration testing and security assessments of web applications
and internal services
Manage the external penetration testing program and own the bug bounty program end-to-end
Track and drive remediation of application-layer vulnerabilities across the product
Monitor CVEs and escalate exploitable issues requiring immediate action
Develop and maintain secure coding guidelines and developer-facing security education
How You'll Work.
Team & Collaboration
Partner directly with product and engineering teams to identify and fix vulnerabilities; Deliver risk-ranked backlog to engineering teams; Collaborate with security champions
Communication Scope
Clear written communication — able to write findings that developers actually read and act on
Process & Methodology
Manage the external penetration testing program, Own the bug bounty program end-to-end, Track and drive remediation of application-layer vulnerabilities
Full Job Description
ABOUT POLYMARKET Polymarket is the world's largest prediction market platform. We enable individuals to express views on real-world events by trading on outcomes across politics, economics, sports, culture, and current affairs. Built as a peer-to-peer marketplace with no centralized "house," Polymarket aggregates diverse opinions into transparent, market-based probabilities that reflect collective expectations about the future. We're growing fast — both in terms of volume ($21B traded in 2025) and adoption as an alternative news source. Our ambition is to become a ubiquitous beacon of truth in global media and we need your help adding fuel to the fire. ABOUT THE ROLE Polymarket is looking for an Application Security Engineer to embed security throughout our software development lifecycle. You'll partner directly with product and engineering teams to identify and fix vulnerabilities before they reach production, own the tooling and processes that make secure development the default, and lead hands-on security assessments of our externally-facing platform. This is a high-ownership role at a company where engineering moves fast — the right candidate knows how to raise the security bar without becoming a bottleneck. WHAT YOU'LL DO - Own the application security program across the SDLC — from design review through deployment — ensuring security is addressed early and consistently - Conduct threat modeling on new features and architectural changes; perform security design reviews and code reviews on high-risk changes with specific, actionable findings - Own the SAST, DAST, and SCA toolchain — selection, deployment, tuning, and CI/CD integration so findings surface at commit time, not post-deployment - Triage and prioritize automated scanner output, delivering a risk-ranked backlog rather than raw tool output to engineering teams - Conduct manual penetration testing and security assessments of web applications, APIs, and internal services — with particular focus on authent
Applying for this Application Security Engineer role?
Most applicants get filtered before a human reads their resume. See if yours makes the cut.
How to Apply on Ashby
- Ashby is a fast modern ATS — most applications take under 3 minutes.
- The resume parser is strong; verify parsed experience dates and job titles.
- Custom screening questions are often scored algorithmically — answer completely.
- Location field affects geo-based screening; use your actual metro area.
ANONYMOUS · UNFILTERED
What do employees actually say about Polymarket?
Real rants from real employees. Read before you apply.