Senior Product Security Engineer

About us Pomelo Care is the national leader in evidence-based healthcare for women and children. We deliver personalized, high-quality clinical interventions from reproductive care and pregnancy, infant care and pediatrics, to hormonal health through perimenopause and menopause, with long-term preventive care and condition management. Our model delivers 24/7 multispecialty care to address the medical, behavioral, and social factors that most significantly impact outcomes for women and children. We partner with payers, employers, and providers to expand access to quality healthcare across the system. What you'll do As our first Product Security Engineer , you will sit at the intersection of Security and Software Engineering. Reporting directly to the CISO, you will be a "Security Builder": embedded within our engineering teams with the autonomy needed to build the automation, tools, and workflows that make security a seamless part of the software development lifecycle. You aren't just finding bugs; you are building the systems that prevent and fix them at scale. Your work will be centered on three core strategic pillars: Secure architecture and auth: you will design and implement auth enhancements such as magic link improvements and access/audit log features to monitor access and improve transparency. Privacy engineering: you will lead the privacy engineering initiatives including DSAR integration , building automated data deletion capabilities directly into the Pomelo mobile app and our internal platform to ensure seamless compliance. You will also help improve privacy-preserving data de-identification and anonymization as needed. Full-cycle remediation: you will own the end-to-end pentest-to-fix lifecycle . This means you don't just triage reports; you write the code to fix penetration test findings, remediate SAST issues, and build greenkeeping systems for high-volume dependency patching with regression testing. Beyond these pillars, you will serve as a high-leverage engineering partner to the broader InfoSec team by: Building secure-by-default libraries: reducing the load on core Software Engineering by creating internal libraries and patterns that make security the default path. Threat modeling: partnering with engineering leads to conduct threat modeling and ensure secure design at the earliest stages of the development process. Scaling through collaboration: as a security resource embedded in our engineering teams, you will help engineering squads navigate complex security use cases, translating GRC requirements into elegant code rather than manual checklists. Who you are You’re an enthusiastic and collaborative engineer who enjoys solving meaningful problems through code. You view security as a product challenge, and you believe the best way to secure a system is to make the "secure way" the "easy way." In particular, you: Are a builder first: Have 5+ years of software engineering experience with a strong foundation in computer science and a track record of shipping production-grade code (Python, Go, Kotlin or similar). Have a security mindset: You understand the OWASP Top 10, identity flows and prompt injections, but you’d rather build a system that eliminates a class of vulnerability than manually triage individual alerts. You believe security expertise should be embedded into the development process, not bolted on at the end. Are an automation enthusiast: you enjoy tackling complex problems with practical automation and are keeping up with trends in LLM agents to multiply your engineering impact. Navigate ambiguity: as a floating resource across various engineering teams, you are comfortable context-switching and can quickly build rapport with different engineering teams to understand their needs. W e’ll be super excited if you Have experience with Google Cloud Platform (GCP), Github Advanced Security (GHAS), Stytch, Sentry, Fullstory, Statsig or similar technology stack. Have ... (truncated, view full listing at source)