About the Role
You will own the Foundation's security posture across protocol development, infrastructure, tooling, access, custody interfaces, vendor risk and incident readiness. You'll work closely with the COO, CTO, Head of Product, engineering leads, external auditors, bug bounty providers, ecosystem contributors and governance stakeholders to keep the protocol and ecosystem secure as v4 expands into new markets, assets and institutional integrations. You'll operate at both strategic and hands-on levels across smart contract security, infrastructure security, incident response, vendor management and operational security.
Requirements
- 8+ years security experience, including hands-on security engineering, application security or infrastructure security, with demonstrated end-to-end ownership of a security function
- Direct crypto, DeFi, smart contract, blockchain infrastructure or protocol security experience
- Strong understanding of smart contract audits, vulnerability management, bug bounties and secure deployment practices
- Experience hardening cloud, GitHub, CI/CD, identity, access, secrets management and endpoint environments
- Experience leading incident response for high-severity technical or security events
- Ability to operate as both security strategist and hands-on builder in a small team
- Traditional finance or other critical financial infrastructure experience is desirable but not required
Responsibilities
- Own the Foundation security program across protocol, infrastructure, applications, internal tools, vendors and access controls
- Support protocol and ecosystem security by coordinating secure development practices, audit processes, vulnerability handling, contributor guidance and incident response readiness
- Manage and coordinate with Compound's security service providers, including audit firms, formal verification specialists and incident response providers
- Partner with CTO and engineering team on secure architecture, secure SDLC, code review and deployment practices
- Implement incident response procedures for vulnerabilities, exploits, access compromise, vendor compromise and operational security events
- Harden identity, access management, secrets, GitHub, cloud, CI/CD, endpoint and offboarding practices
- Support wallet, multi-sig, key management and custody security standards in partnership with Finance/Treasury and Risk
- Evaluate security vendors, auditors, bug bounty platforms and external experts
- Produce short, decision-ready security updates for leadership; escalate material issues or launch blockers quickly