Security Engineer

We are looking for

The Open Home Foundation is looking for a Security Engineer to join our Home Assistant team. This role focuses on keeping Home Assistant and its ecosystem secure by owning the intake and coordination of reported security issues, strengthening our CI/CD and release security, and proactively reducing risk through audits, testing, and security improvements.

You will work closely with engineering, and the broader open-source community to improve our security posture across code, build pipelines, dependencies, and releases.

What you are going to do

• Own security issue intake and coordinationby triaging reports submitted via our established channels (including private reports through GitHub Security Advisories and our security contact process), reproducing issues where needed, coordinating fixes with maintainers, and ensuring responsible disclosure practices.

Own security issue intake and coordinationby triaging reports submitted via our established channels (including private reports through GitHub Security Advisories and our security contact process), reproducing issues where needed, coordinating fixes with maintainers, and ensuring responsible disclosure practices.

• Drive timely remediationby tracking SLAs, communicating status with reporters and internal stakeholders, and coordinating releases and backports when required.

Drive timely remediationby tracking SLAs, communicating status with reporters and internal stakeholders, and coordinating releases and backports when required.

• Harden our CI/CD and release workflowsby improving build pipeline security, secrets management, artifact integrity, and access controls; and by reducing exposure to supply chain attacks.

Harden our CI/CD and release workflowsby improving build pipeline security, secrets management, artifact integrity, and access controls; and by reducing exposure to supply chain attacks.

• Strengthen supply chain defensesby improving dependency and artifact verification, provenance, signing, and monitoring; and by hardening the paths through which third-party code and integrations enter the ecosystem.

Strengthen supply chain defensesby improving dependency and artifact verification, provenance, signing, and monitoring; and by hardening the paths through which third-party code and integrations enter the ecosystem.

• Build preventive security practicesby introducing and continuously improving security testing and scanning in our engineering workflows; including SAST/DAST where appropriate, dependency and artifact scanning, and CI/workflow static analysis.

Build preventive security practicesby introducing and continuously improving security testing and scanning in our engineering workflows; including SAST/DAST where appropriate, dependency and artifact scanning, and CI/workflow static analysis.

• Coordinate external security workby scoping and managing third-party audits, pentests, and targeted reviews; and by ensuring findings are remediated effectively.

Coordinate external security workby scoping and managing third-party audits, pentests, and targeted reviews; and by ensuring findings are remediated effectively.

• Create and maintain security processes and documentationthat are clear, repeatable, and community-friendly, including runbooks for incident response and disclosure.

Create and maintain security processes and documentationthat are clear, repeatable, and community-friendly, including runbooks for incident response and disclosure.

• Collaborate with the communityby supporting maintainers and contributors with guidance, reviewing security-relevant pull requests, and helping raise security awareness across the project.

Collaborate with the communityby supporting maintainers and contributors with guidance, reviewing security-relevant pull requests, and helping raise security awareness across the project.

What you need to have

• 5+ years preferred, or 3+ years with strong, demonstrated ownership in vulnerability management and CI/CD / supply-chain security.

5+ years preferred, or 3+ years with strong, demonstrated ownership in vulnerability management and CI/CD / supply-chain security.

• Demonstrated experiencetriaging and coordinating vulnerability reports(e.g., CVEs, responsible disclosure workflows) and driving remediation across multiple stakeholders.

Demonstrated experiencetriaging and coordinating vulnerability reports(e.g., CVEs, responsible disclosure workflows) and driving remediation across multiple stakeholders.

• Strong understanding ofsoftware supply chain security(dependencies, build systems, artifacts, signing, provenance, CI/CD hardening).

Strong understanding ofsoftware supply chain security(dependencies, build systems, artifacts, signing, provenance, CI/CD hardening).

• Experience securingCI/CD pipelines(e.g., GitHub Actions), including secrets management, permissions, token scopes, and isolation.

Experience securingCI/CD pipelines(e.g., GitHub Actions), including secrets management, permissions, token scopes, and isolation.

• Practical knowledge ofsecure software development practicesand ability to perform risk assessments and security reviews.

Practical knowledge ofsecure software development practicesand ability to perform risk assessments and security reviews.

• Ability to work independently, with strong problem-solving skills and attention to detail.

Ability to work independently, with strong problem-solving skills and attention to detail.

• Extensive proficiencywith Git and GitHub workflows (pull requests, reviews, merging, etc.).

Extensive proficiencywith Git and GitHub workflows (pull requests, reviews, merging, etc.).

• Professional fluency in English,excellent written and verbal communication skills in English.

Professional fluency in English,excellent written and verbal communication skills in English.

• European residency,you must be currently based in Europe and eligible to work within it.

European residency,you must be currently based in Europe and eligible to work within it.

It would be great if you also have

• Experience withPythonecosystems and packaging (pip, PyPI), dependency management, and common security tooling.

Experience withPythonecosystems and packaging (pip, PyPI), dependency management, and common security tooling.

• Familiarity withSBOMs, SLSA, signing and attestations(e.g., Sigstore/cosign), and reproducible builds.

Familiarity withSBOMs, SLSA, signing and attestations(e.g., Sigstore/cosign), and reproducible builds.

• Experience withincident responseand post-incident reviews.

Experience withincident responseand post-incident reviews.

• Prior contributionsto Home Assistant or other open-source projects.

Prior contributionsto Home Assistant or other open-source projects.

• Experience working withIoT / smart homesoftware and threat models.

Experience working withIoT / smart homesoftware and threat models.

• Experience improvingsecurity testingand integrating checks into developer workflows.

Experience improvingsecurity testingand integrating checks into developer workflows.

• Affinityfor the open-source philosophy and community-driven development.

Affinityfor the open-source philosophy and community-driven development.

• A passionate Home Assistant user, or a strong interest in smart home technology and automation.

A passionate Home Assistant user, or a strong interest in smart home technology and automation.

What we offer you

The Open Home Foundation is a fully remote organization that uses an Employer of Record to employ people from all over the world. You will be a normal salaried employee in your country.

This is a full-time position for 40 hours per week. Because we are a fully remote company, there is no fixed schedule. For the purpose of team communication, we do try to ensure at least 3 hours of overlap in the workday. You will report to the Home Assistant Lead, who is based in the Netherlands.

Core to the establishment of the Open Home Foundation was the well-being of the people building the future of the smart home. We will provide all the benefits required by the country you reside in. However, we also want to make sure all our employees, regardless of country of origin, get at least a minimal set of benefits, including:

• Five weeks (twenty-five days) of paid time off.

Five weeks (twenty-five days) of paid time off.

• Fourteen days of paid sick leave if your country/laws treat them as unpaid.

Fourteen days of paid sick leave if your country/laws treat them as unpaid.

• Six weeks of paid and six weeks of unpaid parental leave to be used in the first year after birth. We will provide the missing days if your country/laws do not provide such compensation.

Six weeks of paid and six weeks of unpaid parental leave to be used in the first year after birth. We will provide the missing days if your country/laws do not provide such compensation.

• A budget for your work hardware once you start.

A budget for your work hardware once you start.

• A 50% contribution to your internet connection fee at your home workspace.

A 50% contribution to your internet connection fee at your home workspace.

• If you are currently working on Home Assistant-related side projects, you can spend work time maintaining them.

If you are currently working on Home Assistant-related side projects, you can spend work time maintaining them.

When first offering a position to a new member, the Open Home Foundation aims to provide atotal compensation packagethat matches the 75th percentile for the new hire's role, seniority, and local market rates. For a Security Engineer in our primary operating countries, the approximate yearly compensation will be the following:

• Netherlands: 78.000 EUR

Netherlands: 78.000 EUR

• UK: 71.000 GBP

UK: 71.000 GBP

• Spain / Portugal: 58.000 EUR

Spain / Portugal: 58.000 EUR

• Italy: 64.000 EUR

Italy: 64.000 EUR

• Other countries: compensation can be discussed during the first interview.

Other countries: compensation can be discussed during the first interview.

These figures may be adjusted based on experience, qualifications, and work hours.

About us

The Open Home Foundation is a non-profit organization based in Switzerland, with the objective of fighting for the fundamental principles of privacy, choice, and sustainability for smart homes. It does this by supporting the development of open-source projects, and open connectivity and communication standards.

A big part of this isHome Assistant, thebiggestopen-source project in number of contributors, but the Open Home Foundation also owns or collaborates with other projects important to promoting privacy, choice, and sustainability in the smart home, like:

• Open hardware tools (e.g.,ESPHome,ESP Web Tools)

Open hardware tools (e.g.,ESPHome,ESP Web Tools)

• Open standards (e.g.,Python Matter Server,Z-Wave JS,ZigPy,BTHome,Improv Wi-Fi)

Open standards (e.g.,Python Matter Server,Z-Wave JS,ZigPy,BTHome,Improv Wi-Fi)

• Open voice (e.g.,Rhasspy,Wyoming Protocol,Piper)

Open voice (e.g.,Rhasspy,Wyoming Protocol,Piper)

The recruitment process

• Apply for the role

Apply for the role

• Our HR team will review your application with the hiring manager

Our HR team will review your application with the hiring manager

• Interview with HR

Interview with HR

• Technical assessment

Technical assessment

• Interview with the team

Interview with the team

• Offer

Offer

• Join our team!

Join our team!

12 hours ago ... ... remote organization that uses an Employer of Record to employ people ... The Open Home Foundation is a non-profit organization based in Switzerland ...