Company Overview Docusign brings agreements to life. Over 1.5 million customers and more than a billion people in over 180 countries use Docusign solutions to accelerate the process of doing business and simplify people’s lives. With intelligent agreement management, Docusign unleashes business-critical data that is trapped inside of documents. Until now, these were disconnected from business systems of record, costing businesses time, money, and opportunity. Using Docusign’s Intelligent Agreement Management platform, companies can create, commit, and manage agreements with solutions created by the #1 company in e-signature and contract lifecycle management (CLM). What you'll do You will play a critical role in protecting Docusign’s products and customers by performing deep-dive, white-box vulnerability research on first-party software. This is not a compliance or monitoring role; you will work directly in the codebase to identify novel vulnerabilities, assess their security impacts, and provide guidance on remediation. You will analyze the architecture and design of complex targets to find "un-scannable" logic flaws and structural weaknesses. Your expertise will ensure that Docusign moves beyond reproducing known bugs to proactively securing our most critical services through hands-on, offensive evaluation. This position is an individual contributor role reporting to the Director of Offensive Security. Responsibility Perform in-depth manual security evaluations and code-level research to identify novel vulnerabilities in first-party Docusign software Deconstruct product designs and logic flows to identify "triple-bank-shot" vulnerabilities that automated tools cannot detect Create functional exploits to demonstrate the impact of discovered flaws and validate the severity of findings Partner with engineering teams to provide deep technical guidance on code fixes, ensuring vulnerabilities are eliminated at the source rather than just patched Work with PSIRT and Threat Intelligence as a technical subject matter expert to analyze complex product security issues and drive variant analysis across the ecosystem Job Designation Hybrid: Employee divides their time between in-office and remote work. Access to an office location is required. (Frequency: Minimum 2 days per week; may vary by team but will be weekly in-office expectation) Positions at Docusign are assigned a job designation of either In Office, Hybrid or Remote and are specific to the role/job. Preferred job designations are not guaranteed when changing positions within Docusign. Docusign reserves the right to change a position's job designation depending on business needs and as permitted by local law. What you bring Basic 5+ years experience (3+ with a Master’s degree) in vulnerability research, exploit development, or white-box penetration testing Ability to read, navigate, and understand complex logic flow within first-party codebases (e.g., C#, Java) Proven track record of identifying novel bugs through manual analysis, static/dynamic analysis, and custom tooling rather than commercial scanners Experience developing functional PoC exploits for logic flaws, memory corruption, or complex web-based vulnerabilities Solid understanding of CVSS and CWE to accurately categorize and communicate the technical risk of novel findings Preferred A history of CVE discovery, published security research, or presentations at major industry conferences (e.g., Black Hat, DEF CON) Industry-recognized offensive certifications such as OSCP, GXPN, OSEP, OSWA, OSWE, OSDA Experience with vulnerability research in cloud-native environments (AWS/Azure), containers, or distributed microservices Experience performing offensive security evaluations on AI/ML models and integrations Ability to explain a complex, multi-stage exploit to a developer in a way that is actionable and technical Life at Docusign Working here Docusign is committed to building trust and making the world more agreeable for our employees, customers and the communities in which we live and work. You can count on us to listen, be honest, and try our best to do what’s right, every day. At Docusign, everything is equal. We each have a responsibility to ensure every team member has an equal opportunity to succeed, to be heard, to exchange ideas openly, to build lasting relationships, and to do the work of their life. Best of all, you will be able to feel deep pride in the work you do, because your contribution helps us make the world better than we found it. And for that, you’ll be loved by us, our customers, and the world in which we live. Accommodation Docusign is committed to providing reasonable accommodations for qualified individuals with disabilities in our job application procedures. If you need such an accommodation, or a religious accommodation, during the application process, please contact us at accommodations@docusign.com. If you experience any issues, concerns, or technical difficulties during the a