Engineer, Staff

Company:

Job Area:

General Summary:

As a Product Security Engineer focused on vulnerability research and exploit mitigation, you will play a critical role in securing software systems by identifying and mitigating vulnerabilities at both the source code and binary levels. This role is ideal for someone who is passionate about software security, has a deep understanding of C/C++ internals, and enjoys building and applying tools to uncover subtle flaws before attackers do.

Your primary focus will be on analyzing C/C++ source code using static analysis techniques, both manual and automated, to detect memory safety issues, logic errors, and insecure coding patterns. You will work closely with development teams to integrate and fine-tune sanitizers (such as ASan, UBSan, and MSan) and other compiler-based instrumentation to proactively catch bugs during development and testing.

In addition to source-level work, you will also analyze ARM binaries to identify vulnerabilities in compiled code, especially in cases where source is unavailable or incomplete. This includes reverse engineering, binary static analysis, and applying fuzzing techniques to validate findings and uncover additional issues.

A key part of your role will involve evaluating and implementing exploit mitigation strategies (e.g., stack canaries, ASLR, DEP, CFI) and ensuring they are effectively deployed across the software stack. You will also monitor external security incidents (e.g., CVEs, threat reports, zero-days) to identify detection gaps in current tooling and processes, and work to close those gaps through improved analysis, tooling, and secure coding guidance.

This is a hands-on, engineering-focused role that blends security research, tool development, and collaborative problem-solving. You’ll work alongside developers, security engineers, and incident responders to ensure that vulnerabilities are not only found, but also understood, mitigated, and prevented in the future.

Required Qualifications:

• Strong proficiency in C and C++, with deep understanding of memory management and low-level programming.
• Experience with ARM architecture, including reverse engineering and binary analysis.
• Experience with embedded device security architectures.
• Proficiency with static analysis tools (e.g., CodeQL, Klocwork, Coverity, Helix QAC, Parasoft, Clang Static Analyzer).
• Hands-on experience with fuzzing frameworks (e.g., AFL++, libFuzzer, Honggfuzz).
• Familiarity with exploit mitigation techniques and their implementation in modern toolchains and operating systems.
• Experience analyzing real-world vulnerabilities and applying lessons learned to improve detection capabilities.
• Strong understanding of common vulnerability classes (e.g., buffer overflows, UAF, race conditions).
• Proficiency with reverse engineering tools (e.g., Ghidra, IDA Pro, Binary Ninja).
• Threat modelling to identify targets for vulnerability detection.
• Familiarity with AI advances in this area.
• Excellent written communication skills.

Minimum Qualifications:

• Bachelor's degree in Engineering, Information Systems, Computer Science, or related field and 4+ years of Software Engineering or related work experience.

• 2+ years of work experience with Programming Language such as C, C++, Java, Python, etc.

Preferred Qualifications:

• Knowledge of symbolic execution, taint analysis, or dynamic binary instrumentation.
• Exposure to LLVM Compiler, particularly writing passes and Clang Static Analysis checkers.
• Contributions to open-source security tools or public vulnerability disclosures.
• Experience in working with external security researchers.

Education qualifications:

• Bachelor’s degree or above in Computer Science, Computer Security, Electrical Engineering, or a related field, or equivalent practical experience.

Applicants: Qualcomm is an equal opportunity employer. If you are an individual with a disability and need an accommodation during the application/hiring process, rest assured that Qualcomm is committed to providing an accessible process. You may e-mail disability-accomodations@qualcomm.com or call Qualcomm's toll-free number found here. Upon request, Qualcomm will provide reasonable accommodations to support individuals with disabilities to be able participate in the hiring process. Qualcomm is also committed to making our workplace accessible for individuals with disabilities. (Keep in mind that this email address is used to provide reasonable accommodations for individuals with disabilities. We will not respond here to requests for updates on applications or resume inquiries).

Qualcomm expects its employees to abide by all applicable policies and procedures, including but not limited to security and other requirements regarding protection of Company confidential information and other confidential and/or proprietary information, to the extent those requirements are permissible under applicable law.

To all Staffing and Recruiting Agencies: Our Careers Site is only for individuals seeking a job at Qualcomm. Staffing and recruiting agencies and individuals being represented by an agency are not authorized to use this site or to submit profiles, applications or resumes, and any such submissions will be considered unsolicited. Qualcomm does not accept unsolicited resumes or applications from agencies. Please do not forward resumes to our jobs alias, Qualcomm employees or any other company location. Qualcomm is not responsible for any fees related to unsolicited resumes/applications.

If you would like more information about this role, please contact Qualcomm Careers.