• Description
  • Identifying vulnerabilities in any applications and IT infrastructure components through penetration testing or any formats of security assessment, and determining the risk of identified vulnerability to be handled properly by the other team
  • Defining risk categories and respective treatment or communication plan to handle the vulnerability properly without harming the organization due to longer response to remediate the vulnerability
  • Developing a plan to conduct technical security assessments which might cover social engineering, vulnerability assessment, and penetration testing through several approaches (black box, grey box, or white box) to ensure the assessment is performed periodically
  • Reviewing reported vulnerability identified by an external party or any other team to validate it and doing follow up as necessary, in particular, if the vulnerability is valid
  • Managing overall processes of the bug bounty program, from verifying the reported bug until requesting a financial team to pay the valid bug to respective bug hunter
  • Evaluating bugs identified by an external party and thereafter providing recommendations to relevant teams that are responsible to prevent similar bugs occurred in the future, in order to improve our protection of critical information assets
  • Reporting and communicating the identified vulnerabilities to management (for escalation purposes) or other teams (internal or external) that are responsible to remediate identified vulnerabilities, to discuss and acquire commitment of that party to remediate it immediately, particularly for high severity vulnerabilities
  • Working closely with other teams that are responsible for developing or configuring the system to devise technical security assessment plan
  • Helping or assisting other teams that is responsible for fixing the vulnerability in order to expedite the remediation process and the identified vulnerability can be handled accordingly
  • Improving the technical security assessment mechanism (normally called penetration testing) by learning other people's proof of concept and applying it to the internal testing mechanism


  • Strong penetration testing / Red Team experience
  • Experience performing discovery activities, attack planning, test execution, and detailed reporting on penetration testing scenarios and findings
  • Proficient with Metasploit, Cobalt Strike, Canvas or equivalent framework
  • Solid understanding of networking, TCP/IP, and virtualization
  • Solid understanding of tactics and techniques for evading Intrusion Detection Systems and Security products
  • Experience with Bash scripting and basic Perl, Java, or Python
  • Experience with bounty program and preferred at least identified a valid bug on major platforms such as hackerone, bug crowd, etc
  • Able to communicate the identified vulnerabilities to other team members through easy and understandable explanation
  • Preferably pose OSCP certification

Other jobs at Tokopedia