Application Security Engineer

About DonorboxDonorbox is a leading fundraising platform and donor management system for nonprofit organizations.

Our mission is to accelerate positive impact worldwide by helping nonprofits become highly effective at raising funds and managing their supporter base.

Since 2014, we have powered more than 100,000 global organizations to raise over $3B in donations. 🚀Our fast-growing company is profitable and bootstrapped with a healthy run rate.

We have a fully distributed and diverse 150-person team based in 16+ states and 23+ countries.

In 2026, Donorbox was named by Built In as one of the Best Places to Work in Washington, DC.🏅 Donorbox is rated the #1 software for fundraising, donor management, and nonprofit payment on G2 based on hundreds of verified customer reviews — a reflection of the care our team puts into building products that nonprofits trust.

The RoleWe're looking for a high-autonomy Application Security Engineer to help with full-stack security (edge + cloud + app); both defensive and offensive; of our global PaaS platform.

This is not a "ticket-driven" role.

You are someone who:Identifies risks before they're reportedPrioritizes based on real-world impactTakes initiative to protect the platform and our customersYou will contribute to our security roadmap end-to-end, balancing platform availability, customer experience, and data protection across a globally distributed infrastructure.

ResponsibilitiesEdge Governance & Traffic Analysis: Own the Cloudflare stack.

Monitor traffic patterns to identify threats (DDoS, credential stuffing, scraping) and implement real-time countermeasures.

You know how to mitigate a threat without shutting down a "big customer." Cloudflare Mastery: You don't just click toggles; you write Cloudflare Workers and custom WAF expressions to intercept sophisticated L7 attacks before they hit our origin.

Vulnerability Ecosystem (Intigriti): Lead our 3rd-party researcher program.

Triage and validate reports, ensuring we reward the first reporter and immediately implement "kills" at the source (e.g., via Cloudflare rules) to stop the noise.

You are the bridge between external researchers and our internal dev teams.

You move fast to validate, reward, and—most importantly—virtual-patch vulnerabilities at the edge while the permanent fix is escalated to the dev team.

Offensive Strategy & Internal Pen-tests: Proactively identify weaknesses across our systems Design and execute targeted internal penetration tests.

Focus on real-world attack paths.

You will identify and escalate flawed business logic.

Not checkbox testing.

Partner with engineering teams to ensure fixes are implemented effectively.

You see the gaps in how the product is designed and advocate for systemic fixes.

Application & Dependency Security: Monitor and respond to vulnerabilities in application dependencies and frameworks (e.g., reviewing alerts from tools like Dependabot and validating real impact).

Evaluate real-world impact of supply chain risks (not all CVEs are equal).

Work with engineering teams to prioritize and remediate issues effectively.

Improve processes around dependency management and secure development practicesIncident Response & Global Collaboration: Communicate clearly and effectively under pressure.

Coordinate across time zones with SRE, Support, and Product teams.

In a crisis, you act decisively but keep the right stakeholders informed.

Investigate and respond to cloud-native security signals (e.g., AWS GuardDuty, unusual IAM or network activity)Qualifications & ExperienceExperience with Cloudflare at scale (WAF, Workers, rate limiting, bot management)Experience with AWS security tooling (e.g., GuardDuty, IAM analysis, CloudTrail)Familiarity with dependency and supply chain security practicesFamiliarity with bug bounty platforms (e.g., Intigriti, HackerOne)Experience with vendor-approved security scanners and integrating them into workflows (e.g., SAST, DAST, dependency scanning)Familiarity with compliance automation tools (e.g., Vanta, Drata)Compliance Literacy: Knowledge of PCI DSS or SOC II frameworks.

You understand how to translate technical security controls into audit-ready evidence.

DetailsFully remote based in Mexico or BrazilSalary depending on experience and locationBenefits & PerksFully remote work from the comfort of your homeEligibility for employee equity plan (stock options)Reimbursement package for home office expenses and professional development, up to $1.5kGenerous time off policy of 21 days (birthday included 🎉), 8 holidays of your choice, and 2 paid volunteer daysWellness program with fitness and mindfulness classesLove your work and our mission of serving nonprofits!The Application ProcessWe have 6 stages:Apply here and fill out our questions to tell us about you!Prescreen Call with the Talent TeamInterview with Hiring ManagerAssignmentPanel/Final InterviewBackground & Reference ChecksIf this sounds like the right role for you, please apply today and let us know why.

We look forward to hearing from you!