About Galoy
At Galoy, we are building the future of banking by developing a financial infrastructure stack on top of the Bitcoin network. Our platform includes both open source and Fair Source licensed projects, fostering collaboration and contribution across the ecosystem. With it, we enable institutions to connect to and offer financial services on Bitcoin.
We recently announced Lana, a Bitcoin-backed lending platform designed to enable financial institutions to bring bitcoin-backed loans to market quickly.
The banking platform also includes a core accounting ledger (Cala), and a payments bridge (Bria). Galoy is also the developer of the Blink bitcoin wallet and Stablesats, a method for creating stable balances using derivatives instead of tokens.
About the Role
We’re hiring a full‑time Senior Security Researcher to harden and advance the security of our Bitcoin‑native financial infrastructure. You’ll focus on deep code analysis (primarily Rust) and cloud‑native deployment security, working hand‑in‑hand with our backend and platform engineers. Your mission is to anticipate, identify, and neutralize vulnerabilities—protecting bitcoin custody, loan logic, and user data while enabling rapid product delivery.
If you’re passionate about Bitcoin, open‑source software, and advanced security research—and you want your work to make Bitcoin‑powered banking safer for the world—we’d love to hear from you.
Main Responsibilities
- Threat Modeling & Secure Architecture – Lead threat‑modeling sessions for new features (e.g., bitcoin‑backed loans, lightning payments), design mitigations, and champion security‑by‑design across services.
- Code & Vulnerability Research – Perform manual and automated security reviews of Rust codebases (Cala, Lana, Bria), hunt for zero‑days, and drive remediation.
- Cloud Infrastructure Hardening – Own security of our cloud‑native stack (GCP/Azure/Kubernetes/Terraform): IAM least‑privilege, network segmentation, key‑management integration, secrets hygiene.
- DevSecOps Automation – Embed SAST/DAST, secret‑scanning, dependency‑vulnerability checks, and container/image scanning into CI/CD pipelines; monitor and tune findings.
- Incident Readiness & Response – Maintain detection rules, triage alerts, run post‑mortems, and continuously improve runbooks for security events.
- Security Research & Evangelism – Track emerging exploits in Bitcoin, Lightning, Rust, and cloud ecosystems; share findings internally and upstream to open‑source projects.
- Mentorship & Collaboration – Guide engineers on secure coding and review practices; foster a security‑first culture without slowing innovation.
- Open‑Source Contribution – Publish security enhancements, tooling, and documentation back to Galoy repos and the wider Bitcoin security community.
Candidate Skills
- 5+ years in application and cloud security, with a track record of finding and fixing high‑impact vulnerabilities.
- Fluency in Rust (or other modern systems languages, with strong willingness to dive deep into Rust).
- Bitcoin & Lightning know‑how—understands cryptographic primitives, transaction flows, custody models, common exploits, and mitigation strategies.
- Cloud‑native security expertise—hands‑on with AWS (or GCP/Azure), Kubernetes, Infrastructure‑as‑Code (Terraform), container security, and CI/CD pipelines.
- Security tooling & research chops—familiar with SAST/DAST scanners, fuzzing, codeQL, Burp/ZAP, Sigstore, SBOM & supply‑chain security concepts.
- Threat modeling & pen‑testing proficiency—experienced with STRIDE, PASTA, or similar frameworks; comfortable performing hands‑on penetration tests.
- Crypto / key‑management experience—HSMs, MPC wallets, or second‑layer custody models are a plus.
- Startup Mindset—comfortable making pragmatic trade‑offs, wearing multiple hats, and iterating quickly with incomplete information.
- Communication—clear written & spoken English; Spanish is a plus (we collaborate heavily in LATAM). Ability to convey complex security topics to technical and non‑technical stakeholders.
- Remote & Async—proven ability to excel in distributed teams across time zones.
If you’re interested in this opportunity
- Send your CV (and any relevant research, blog posts, or CVE credits) to jobs@galoy.io.
Perks
- Work on cutting‑edge Bitcoin technology that secures real assets.
- Contribute to open‑source projects and share your research with the community.
- Receive compensation in Bitcoin (optional).
- Collaborate with a diverse, international team in a remote-first environment
- Optionally relocate to El Salvador—the world’s first Bitcoin nation—where we’ll assist with visas and logistics.
Join us and keep the future of Bitcoin‑powered banking secure!