Web2 & Mobile Security Researcher

About Certora

Certora is the security assurance partner trusted by the most advanced teams in Web3. Founded in 2018 by pioneers in programming languages and formal methods, Certora helps leading protocols like Lido, Aave, Uniswap, and Compound secure billions in value with confidence.

But we’re not just another auditor. We’re a full-stack security assurance platform, combining best-in-class formal verification tools with expert advisory services, delivered on time and with zero compromise. Whether you’re launching a new protocol, upgrading core infrastructure, or securing a DeFi primitive, Certora doesn’t just look for vulnerabilities. We help platforms prove correctness, accelerate development speed, and embed safety into their design from day one.

Our services include:

- Proven, scalable tooling for checking real deployed code

- A deep partnership model with on-demand support

- Fast, responsive execution that helps companies go-to-market faster

For us, security isn’t a checklist, it’s a continuous process. Certora is the most comprehensive and trusted security firm to ensure a platform is protected, even under adversarial conditions.

From testnet to mainnet, we’re with you.

About the role

This role offers the chance to help scale Certora’s Web2 and mobile security research domain, expanding our technical depth, research capacity, and ability to deliver high-impact work across complex real-world systems. As part of a company already recognized as a leader in Web3 security, you will help extend our expertise into new areas, contribute to research methodologies and standards, and drive meaningful impact across cutting-edge technologies.

As a Security Researcher, you will focus on the in-depth analysis of web and mobile applications, performing white-box code reviews to uncover vulnerabilities and security flaws. Your work will include investigating how applications interact with Web3 infrastructures, analyzing integrations with wallets, SDKs, and smart contracts, and identifying risks unique to these environments. You will produce high-quality research, develop proof-of-concepts, and collaborate with developers to ensure secure design and implementation. This role is hands-on and research-driven, offering the opportunity to work on complex real-world systems at the intersection of Web2, mobile, and Web3.

Requirements:

5+ years of hands-on experience in application security or vulnerability research, with a strong focus on white-box code review.

Demonstrated experience in building or shaping new security domains, practices, or methodologies within an organization.

Strong background in Web2 application security: OWASP Top 10, authentication/authorization flaws, and logic vulnerabilities.

Hands-on experience with at least one major programming language: Rust, C, JavaScript/TypeScript, Python, Java/Kotlin, or C#.

Hands-on experience in mobile application security (iOS/Android), including storage, networking, Memory and key management vulnerabilities.

Familiarity with security testing tools (SAST/DAST, dependency scanning, fuzzing).

Ability to clearly document findings, develop proof-of-concepts, and communicate remediation guidance to developers.

Strong written and verbal communication skills in English.

Advantages:

Familiarity with Web3 integrations: wallets (MetaMask, WalletConnect), blockchain SDKs (ethers.js, web3.js), and RPC/API providers.

Understanding of smart contract interactions and common blockchain attack vectors (e.g., replay attacks, transaction signing issues, key management flaws).

Experience with reverse engineering, fuzzing, or binary analysis.

Contributions to open-source security tools, research papers, or technical blogs.

Knowledge of CI/CD pipelines and secure development lifecycle (SDLC) best practices.

Experience with off-chain systems and data handling, including interaction with backend services, APIs, or databases that support blockchain applications.

Track record of impactful vulnerability research, including CVEs, responsible disclosures, bug bounty findings, or published technical writeups.

Certora People

We are Customer Centric, when we commit, the customer knows we will deliver in a quality and timely manner.

We Move Fast - we’re looking for people with a bias for action and a sense of urgency to achieve quick results while we also Break Nothing – we have high-quality standards, we are looking for people who are professional and hold themselves accountable.

We win as a Team – our teams are distributed around the world. We understand our individual roles and commit to the team's goals.

We have a positive “can do” attitude. We support each other and are encouraged to ask for help and collaborate. We enable people to grow by clarifying expectations and giving candid feedback and on-the-job development opportunities. We welcome collaboration both internally and externally for outstanding delivery.

We are Pioneers in DeFi security and FV experts - we are one of the best companies to help developers and security researchers secure Web3 but we’re humble and always eager to learn more.

Why join Certora?

Certora provides you a wonderful opportunity to:

Work on cutting-edge technology and challenging problems at the forefront of Web3 applications and technologies

Contribute to unique formal verification technology, the leading way to ensure the behavior of any type of software

Experience a friendly creative start-up environment with top talent in the domain

Work in a fast-paced and supportive culture: we move fast and break nothing!

Enjoy flexible work (remote / hybrid)

Get competitive compensation & benefits (including equity)