Technical Program Manager, Security (Coordinated Vulnerability Disclosure)

• Own end-to-end CVD program strategy and execution: Define and drive the roadmap for coordinated vulnerability disclosure, from AI-generated finding through maintainer notification, remediation tracking, and public disclosure. Ensure alignment with Anthropic’s security posture and RSP compliance requirements.
• Lead internal triage and quality assurance: Establish and manage the human review process that validates all AI-generated findings before external disclosure. Set minimum confidence thresholds, deduplicate against known CVEs, and ensure every report sent to a maintainer meets Anthropic’s quality bar.
• Design and operate tiered disclosure timelines: Implement severity-based disclosure windows with appropriate extension policies.
• Build and manage pacing and submission models: Develop rate-limiting frameworks that govern how many findings are submitted to each project, scaled to maintainer capacity and project size.
• Lead external coordination and partner engagement: Manage relationships with open-source maintainers and closed-source vendors. Serve as the primary point of contact for vulnerability coordination, including escalation when maintainers are unresponsive. Drive the phased rollout from initial trusted partners through broader open-source engagement.
• Establish program metrics and reporting: Define and track the metrics that determine program health, including fix rates, false-positive rates, median time-to-patch, and qualitative maintainer feedback. Use these metrics to inform decisions about program expansion, pacing adjustments, and policy updates.

• Lead internal triage and quality assurance: Establish and manage the human review process that validates all AI-generated findings before external disclosure. Set minimum confidence thresholds, deduplicate against known CVEs, and ensure every report sent to a maintainer meets Anthropic’s quality bar.
• Design and operate tiered disclosure timelines: Implement severity-based disclosure windows with appropriate extension policies.
• Build and manage pacing and submission models: Develop rate-limiting frameworks that govern how many findings are submitted to each project, scaled to maintainer capacity and project size.
• Lead external coordination and partner engagement: Manage relationships with open-source maintainers and closed-source vendors. Serve as the primary point of contact for vulnerability coordination, including escalation when maintainers are unresponsive. Drive the phased rollout from initial trusted partners through broader open-source engagement.
• Establish program metrics and reporting: Define and track the metrics that determine program health, including fix rates, false-positive rates, median time-to-patch, and qualitative maintainer feedback. Use these metrics to inform decisions about program expansion, pacing adjustments, and policy updates.
• Drive response category classification: Manage the process for classifying findings into response categories (latent vulnerability, active exploitation, ecosystem-level pattern) and ensure the appropriate response protocol is triggered for each category.

Browse similar jobs