Summary of the role

Mozilla Enterprise Information Security is responsible for the day to day security of Mozilla systems and properties, including those delivering Firefox to millions of users and powering 10,000+ volunteers and developers.

As a penetration tester for the Mozilla Enterprise Information Security team you will proactively, collaboratively and purposely test and evaluate the operational security stance of key Mozilla services, vendors, systems and integrations as implemented. You will be a primary operative for assessing vendor, SaaS and other proposed implementations and integrations to key Mozilla systems with an eye towards understanding the complete set of security controls for a business function and the actual security assurance those controls provide.

About You

You wonder how things work. You wonder if they can be made to work differently long after others have stopped reading the manual. You understand that penetration testing is more than vulnerability scanning. You are not afraid to responsibly question a vendor’s representation of their security, yet understand that no solution offers perfect security. You understand that a system is more than the sum of its parts and that the parts often include internal, external, vendors, SaaS, cloud providers and in-house components. You are able and eager to work with business-focused people on solutions to mitigate security issues in existing and proposed systems.

Key Focus Areas

  • Participate in recurrent penetration testing/red team exercises at Mozilla
  • Perform security reviews of vendor security for proposed services, software purchases, SaaS integrations, and RFPs
  • Define, standardize and document the process and artifacts of system and vendor reviews
  • Actively test the security stance of our services as provided through SaaS, PaaS, cloud providers, or offices and Mozilla data centers
  • Partner with key Mozilla web sites to help them enhance their security posture
  • Participate in the Web Security Bug bounty program to help triage reports through to completed remediations
  • Determine the effective security stance of Mozilla properties as implemented using a combination of approaches (code reviews, white box, black box testing, hands-on scanning, phishing, social engineering, etc.)
  • Validate that security controls perform as expected and planned
  • Validate vulnerability ratings through hands-on testing of Mozilla services as implemented in a variety of our operating environments including cloud providers, platform as a service, in house data centers, office locations, etc
  • Recommend fixes for vulnerabilities discovered during testing exercises
  • Writing exploits and/or proof of concept code that demonstrate the impact of vulnerabilities found
  • Regularly test the implementation of security controls and vulnerability ratings of services inside and outside Mozilla, including SaaS, PaaS, cloud providers, etc.
  • Integration of continuous penetration testing into a variety of traditional and DevOps environments

Additional Responsibilities

  • Writing unit tests to alert us on regressions with vulnerabilities
  • Automation of both day-to-day and critical functions
  • Provide design, architecture, and operational guidance on a variety of projects

Skills and Experience

  • Bachelor's degree in computer science (or related program) or equivalent work experience
  • Demonstrated experience using a mix of commercial, open source and in-house developed tools as needed to exercise security controls, discover weaknesses and test response capabilities
  • Proficient in at least Python or Ruby. JavaScript, Golang, PHP, C, etc are a plus
  • Able to quickly dive into source code and understand its organization, point out typical dangerous code patterns, provide guidance, etc.
  • Demonstrated experience operating in sensitive, operational production environments, red teaming, and/or CTF type events
  • 3+ years of experience in hands-on web application penetration testing engagements
  • Comfortable discussing security impact, risks, vulnerabilities and threats to a variety of audiences and capable of balancing security with the need to move projects forward
  • Comfortable with open and direct communication in a very transparent culture, navigating strong opinions while driving towards organizational goals

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. 

Apply for this Job
* Required
(Optional)
Almost there! Review your information then click 'Submit Application' to apply.

File   X
File   X


U.S. Equal Opportunity Employment Information (Completion is voluntary)

Individuals seeking employment at Mozilla are considered without regards to race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. You are being given the opportunity to provide the following information in order to help us comply with federal and state Equal Employment Opportunity/Affirmative Action record keeping, reporting, and other legal requirements.

Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.


Form CC-305

OMB Control Number 1250-0005

Expires 1/31/2020

Voluntary Self-Identification of Disability

Why are you being asked to complete this form?

Because we do business with the government, we must reach out to, hire, and provide equal opportunity to qualified people with disabilities1. To help us measure how well we are doing, we are asking you to tell us if you have a disability or if you ever had a disability. Completing this form is voluntary, but we hope that you will choose to fill it out. If you are applying for a job, any answer you give will be kept private and will not be used against you in any way.

If you already work for us, your answer will not be used against you in any way. Because a person may become disabled at any time, we are required to ask all of our employees to update their information every five years. You may voluntarily self-identify as having a disability on this form without fear of any punishment because you did not identify as having a disability earlier.

How do I know if I have a disability?

You are considered to have a disability if you have a physical or mental impairment or medical condition that substantially limits a major life activity, or if you have a history or record of such an impairment or medical condition.

Disabilities include, but are not limited to:

  • Blindness
  • Deafness
  • Cancer
  • Diabetes
  • Epilepsy
  • Autism
  • Cerebral palsy
  • HIV/AIDS
  • Schizophrenia
  • Muscular dystrophy
  • Bipolar disorder
  • Major depression
  • Multiple sclerosis (MS)
  • Missing limbs or partially missing limbs
  • Post-traumatic stress disorder (PTSD)
  • Obsessive compulsive disorder
  • Impairments requiring the use of a wheelchair
  • Intellectual disability (previously called mental retardation)
Reasonable Accommodation Notice

Federal law requires employers to provide reasonable accommodation to qualified individuals with disabilities. Please tell us if you require a reasonable accommodation to apply for a job or to perform your job. Examples of reasonable accommodation include making a change to the application process or work procedures, providing documents in an alternate format, using a sign language interpreter, or using specialized equipment.

1Section 503 of the Rehabilitation Act of 1973, as amended. For more information about this form or the equal employment obligations of Federal contractors, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.


Application consent for Mozilla

By clicking the “I Accept” button you expressly make the following representations and warranties and give your consents as described below:

Mozilla collects your personal data for the purposes of managing Mozilla’s recruitment related activities as well as for organizational planning purposes globally. Consequently, Mozilla may use your personal data in relation to the evaluation and selection of applicants including for example setting up and conducting interviews and tests, evaluating and assessing the results thereto and as is otherwise needed in the recruitment processes including the final recruitment.

Mozilla does not disclose your personal data to unauthorized third parties. However, as a global corporation consisting of multiple affiliated companies in various countries, Mozilla has international sites and Mozilla uses resources located throughout the world. Mozilla may from time to time also use third parties to act on Mozilla’s behalf. You agree to the fact that to the extent necessary your personal data may be transferred and/or disclosed to any company within Mozilla group of companies as well as to third parties acting on Mozilla’s behalf, including also transfers to servers and databases outside the country where you provided Mozilla with your personal data. Such transfers may include for example transfers and/or disclosures outside the European Economic Area and in the United States of America.


Share this job: