Job Title-: Senior Software Engineer (Open Source)
Duration- 12 Months
Location-: Remote - EST Hours

Job Description Summary

The Clients Product Security team is looking for a Senior Software Engineer. In this role, you will work as part of a team responsible for establishing the technical stewardship capabilities required by the EU Cyber Resilience Act (CRA). You will focus on developing the tooling and infrastructure necessary to generate comprehensive Software Bill of Materials (SBOMs) for critical open-source community projects and integrating these manifests into client's incident response workflows. You will build automated solutions that bridge the gap between upstream project development and downstream security compliance, ensuring rapid detection of vulnerabilities in open-source components. You will collaborate with internal security teams and external open-source communities to align on data standards and "secure by design" principles.

Job Responsibilities

• Design and develop automated tooling to generate and maintain Software Bill  of Materials (SBOMs) for upstream open-source projects in standardized machine-readable formats (e.g., SPDX, CycloneDX).
• Integrate SBOM generation into community Continuous Integration (CI) systems to ensure real-time tracking of top-level and transitive dependencies, including the generation of unique component identifiers (CPE, PURL).
• Build "Early Warning" workflows by connecting community SBOMs with client's Product Security Incident Response Team (PSIRT) tooling, enabling the automatic mapping of new vulnerabilities (CVEs) to impacted upstream projects.
• Implement machine-readable advisory generation (CSAF VEX) for community projects to support transparency and automated vulnerability handling requirements.
• Continuously improve tooling to reduce the average time to patch critical vulnerabilities in stewarded open-source components.

Skills Required

• Advanced (5+ years) knowledge of Python programming language and their
• ecosystems.
• Deep understanding of Software Supply Chain Security concepts, including SBOM standards (SPDX, CycloneDX) and vulnerability data formats (CSAF,VEX, OSV).
• Intermediate (3+ years) experience with relational databases (e.g., PostgreSQL) for managing vulnerability and component metadata.
• Experience with CI/CD pipelines (e.g., Tekton, GitHub Actions, GitLab CI) and integrating security scanning tools into build processes.
• Interest in the container ecosystem (Kubernetes, Red Hat OpenShift, Podman).
• Good written and verbal communication skills in English, with a strong ability to collaborate in open-source communities.

 
 
At SPECTRAFORCE, we are committed to maintaining a workplace that ensures fair compensation and wage transparency in adherence with all applicable state and local laws. This position’s starting pay is: $ 50.00/hr.