Senior Product Vulnerability Manager

Senior Product Vulnerability Manager

Location: Remote (US & Europe)

Job : 47562

As part of the Product Security and Privacy team, you will own and operate the corporate‑wide Product Vulnerability Management program. You will establish the organization’s technical and operational capabilities to detect, triage, prioritize, and respond to product vulnerabilities across a diverse portfolio of products and technologies. You will be accountable for the consistency, scalability, and defensibility of vulnerability management practices and ensure processes, tooling, and outputs are standardized, audit‑ready, and aligned with regulatory expectations, including the EU Cyber Resilience Act (CRA).

You will operate at a strategic level, enabling product teams to execute vulnerability management activities effectively through defined standards, tooling, and governance.

• Defining and maintaining the enterprise Product Vulnerability Management framework, including processes for intake, triage, prioritization, remediation tracking, and disclosure.
• Establishing standardized vulnerability triage and risk prioritization methodologies that work across the organization.
• Defining and implementing the corporate‑wide vulnerability management policies and standards ensuring our Product Security Incident Response processes are appropriate with the organization’s expectations and regulatory requirements.
• Owning the Coordinated Vulnerability Disclosure (CVD) program, including external intake channels, researcher engagement, and coordination.
• Translating regulatory requirements (e.g., EU Cyber Resilience Act) into operational processes, controls, and reporting obligations.
• Defining and managing the enterprise tooling strategy for vulnerability detection (e.g., SAST, DAST, SCA, container scanning), including selection, configuration, and integration into CI/CD pipelines.
• Establishing minimum tooling and coverage baselines across product types and ensure consistent adoption.
• Defining and operationalize SBOM‑driven vulnerability management practices, including monitoring and response to third‑party component vulnerabilities.
• Developing scalable playbooks, guidance, and decision frameworks enabling product teams to independently triage and respond to vulnerabilities.
• Defining training requirements and developing enablement materials for product teams on vulnerability identification, triage, and response processes.
• Establishing metrics, reporting, and dashboards to measure vulnerability management effectiveness, including SLA adherence, backlog, and remediation timelines.
• Providing executive‑level reporting and insights on product vulnerability risk posture.
• Defining governance processes, including exception handling, risk acceptance, and escalation pathways.
• Leading audit and assessment readiness related to vulnerability management processes and outputs.
• Building and leading a small team responsible for program operations, tooling, and disclosure coordination.
• Partnering with Product Security Architects, Engineering, Legal, and Compliance teams to ensure alignment and effective execution across the organization.
• Acting as the central authority for product vulnerability management practices across the organization.
• Enabling a federated operating model where product teams own remediation while adhering to centralized standards and processes.
• Driving consistency in vulnerability handling across a large and diverse product portfolio.
• Ensuring vulnerability management practices scale effectively across hundreds of products and multiple technology domains.
• Providing strategic direction for continuous improvement of vulnerability management capabilities, tooling, and processes.
• Supporting regulatory audits and customer inquiries related to vulnerability management and disclosure practices.

• Experience designing, building, or scaling a vulnerability management or PSIRT program within a product security or application security context.
• Strong understanding of the vulnerability lifecycle, including detection, triage, prioritization, remediation tracking, and disclosure.
• Working knowledge of application security…