Web2 & Mobile Security Researcher

About the role

This role offers the chance to help scale Certora’s Web2 and mobile security research domain, expanding our technical depth, research capacity, and ability to deliver high-impact work across complex real-world systems. As part of a company already recognized as a leader in Web3 security, you will help extend our expertise into new areas, contribute to research methodologies and standards, and drive meaningful impact across cutting-edge technologies.

As a Security Researcher, you will focus on the in-depth analysis of web and mobile applications, performing white-box code reviews to uncover vulnerabilities and security flaws. Your work will include investigating how applications interact with Web3 infrastructures, analyzing integrations with wallets, SDKs, and smart contracts, and identifying risks unique to these environments. You will produce high-quality research, develop proof-of-concepts, and collaborate with developers to ensure secure design and implementation. This role is hands-on and research-driven, offering the opportunity to work on complex real-world systems at the intersection of Web2, mobile, and Web3.

Requirements:

• 5+ years of hands-on experience in application security or vulnerability research, with a strong focus on white-box code review.
• Demonstrated experience in building or shaping new security domains, practices, or methodologies within an organization.
• Strong background in Web2 application security: OWASP Top 10, authentication/authorization flaws, and logic vulnerabilities.
• Hands-on experience with at least one major programming language: Rust, C, JavaScript/TypeScript, Python, Java/Kotlin, or C#.
• Hands-on experience in mobile application security (iOS/Android), including storage, networking, Memory and key management vulnerabilities.
• Familiarity with security testing tools (SAST/DAST, dependency scanning, fuzzing).
• Ability to clearly document findings, develop proof-of-concepts, and communicate remediation guidance to developers.
• Strong written and verbal communication skills in English.

Advantages:

• Familiarity with Web3 integrations: wallets (MetaMask, WalletConnect), blockchain SDKs (ethers.js, web3.js), and RPC/API providers.
• Understanding of smart contract interactions and common blockchain attack vectors (e.g., replay attacks, transaction signing issues, key management flaws).
• Experience with reverse engineering, fuzzing, or binary analysis.
• Contributions to open-source security tools, research papers, or technical blogs.
• Knowledge of CI/CD pipelines and secure development lifecycle (SDLC) best practices.
• Experience with off-chain systems and data handling, including interaction with backend services, APIs, or databases that support blockchain applications.
• Track record of impactful vulnerability research, including CVEs, responsible disclosures, bug bounty findings, or published technical writeups.