Application Security Engineer, AI-Assisted Vulnerability Management

Summary The Eclipse Foundation is one of the world’s largest open source software foundations, with a proven track record of enabling developer-focused open source innovation earned over 19 years. The Foundation is the home of numerous industry-leading projects and collaborations including Adoptium, Software Defined Vehicle, Eclipse IDE, IOT and Jakarta EE. Supported by over 350 members globally, the Foundation has an established international reach and reputation. The Role We are looking for an Application Security Engineer to design, build, and operate AI-assisted vulnerability management workflows across Eclipse Foundation open source projects. This role combines application security, security automation, and practical use of large language models to help identify, triage, and remediate vulnerabilities at a scale that would be difficult to achieve manually. This is not a role focused on casually prompting a chatbot. You will build pipelines, integrate AI-assisted analysis into developer and CI/CD workflows, evaluate findings critically, reduce false positives, and collaborate with project maintainers to land real fixes. The goal is to deliver measurable improvements in how the Foundation discovers, prioritizes, and resolves security issues across its project portfolio. Location and Term Role This is an initial 12-month fixed-term role, fully remote and open to candidates located in the European Union, Canada, and the United States. Depending on organizational needs, funding, performance, and mutual fit, there may be an opportunity for renewal or transition to an ongoing/permanent position. ResponsibilitiesBuild and integrate AI-assisted security tooling Design and implement pipelines that use large language models, AI-assisted code analysis, and traditional security tools to scan Eclipse projects for vulnerabilities, including code-level flaws, dependency risks, and misconfigurations.Develop scalable triage workflows Create workflows that separate true positives from noise, prioritize findings based on severity and exploitability, and produce actionable reports for project teams.Drive remediation Work with project maintainers to propose fixes, submit pull requests, and validate that vulnerabilities have been properly resolved.Evaluate and improve tooling Benchmark AI-assisted approaches against traditional SAST, DAST, SCA, and dependency-scanning tools. Measure false-positive rates, assess usefulness, and continuously refine prompts, retrieval strategies, evaluation methods, and model or tool selection.Support responsible AI use in security workflows Help define safe and appropriate use of AI tooling, including the handling of sensitive vulnerability information, project source code, disclosure timelines, and data-sharing constraints.Document and share knowledge Produce internal playbooks, technical write-ups, and metrics dashboards so the security team can sustain and extend this work over time.Coordinate with the broader security team Participate in vulnerability disclosure processes, CVE management, and security advisories as needed. Success in This Role Success in this role means helping the Eclipse Foundation improve the speed, accuracy, and consistency of vulnerability discovery and remediation. This includes reducing triage time, improving true-positive rates, increasing the number of actionable findings delivered to projects, and helping maintainers land verified fixes. The role requires careful human review of AI-generated findings before they are shared with maintainers. We value accuracy, reproducibility, and respectful collaboration over the volume of reports produced. Education A degree in software engineering, computer science, cybersecurity, or a related field is welcome. Equivalent practical experience is also highly valued. Relevant certifications are considered an asset but are not required. Desired Skills and Experience We are looking for someone who is curious, pragmatic, and service-oriented. The successful candidate will be comfortable investigating technical issues, asking thoughtful questions, documenting work carefully, and helping others understand and address security risks. This role requires someone who can operate with a high level of trust, communicate calmly during security events, and balance security priorities with the realities of a collaborative, mission-driven open source environment. You should be comfortable working with distributed teams and contributing to a culture where security enables participation, transparency, and resilience. You should also be comfortable communicating with volunteer and professional maintainers in a constructive, respectful, and actionable way Must-Have QualificationsStrong application security background, including familiarity with common vulnerability classes such as OWASP Top 10 and CWE, secure coding practices, and practical exploitability analysis.Hands-on experience conducting security code reviews, audits, or assessments