Donorbox Logo

Application Security Engineer

🇧🇷 Brazil🔒 Cybersecurity🔵 Mid-level

Job Description

About Donorbox

Donorbox is a leading fundraising platform and donor management system for nonprofit organizations. Our mission is to accelerate positive impact worldwide by helping nonprofits become highly effective at raising funds and managing their supporter base. Since 2014, we have powered more than 100,000 global organizations to raise over $3B in donations. 🚀

Our fast-growing company is profitable and bootstrapped with a healthy run rate. We have a fully distributed and diverse 150-person team based in 16+ states and 23+ countries. In 2026, Donorbox was named by Built In as one of the Best Places to Work in Washington, DC.

🏅 Donorbox is rated the #1 software for fundraising, donor management, and nonprofit payment on G2 based on hundreds of verified customer reviews — a reflection of the care our team puts into building products that nonprofits trust.

The Role

We’re looking for a high-autonomy Application Security Engineer to help with full-stack security (edge + cloud + app); both defensive and offensive; of our global PaaS platform.

This is not a “ticket-driven” role. You are someone who:

  • Identifies risks before they’re reported
  • Prioritizes based on real-world impact
  • Takes initiative to protect the platform and our customers

You will contribute to our security roadmap end-to-end, balancing platform availability, customer experience, and data protection across a globally distributed infrastructure.

Responsibilities

  • Edge Governance & Traffic Analysis: Own the Cloudflare stack. Monitor traffic patterns to identify threats (DDoS, credential stuffing, scraping) and implement real-time countermeasures. You know how to mitigate a threat without shutting down a “big customer.”

Cloudflare Mastery: You don’t just click toggles; you write Cloudflare Workers and custom WAF expressions to intercept sophisticated L7 attacks before they hit our origin.

  • Vulnerability Ecosystem (Intigriti): Lead our 3rd-party researcher program. Triage and validate reports, ensuring we reward the first reporter and immediately implement “kills” at the source (e.g., via Cloudflare rules) to stop the noise.

You are the bridge between external researchers and our internal dev teams. You move fast to validate, reward, and—most importantly—virtual-patch vulnerabilities at the edge while the permanent fix is escalated to the dev team.

  • Offensive Strategy & Internal Pen-tests: Proactively identify weaknesses across our systems Design and execute targeted internal penetration tests. Focus on real-world attack paths. You will identify and escalate flawed business logic. Not checkbox testing. Partner with engineering teams to ensure fixes are implemented effectively. You see the gaps in how the product is designed and advocate for systemic fixes.
  • Application & Dependency Security: Monitor and respond to vulnerabilities in application dependencies and frameworks (e.g., reviewing alerts from tools like Dependabot and validating real impact). Evaluate real-world impact of supply chain risks (not all CVEs are equal). Work with engineering teams to prioritize and remediate issues effectively. Improve processes around dependency management and secure development practices
  • Incident Response & Global Collaboration: Communicate clearly and effectively under pressure. Coordinate across time zones with SRE, Support, and Product teams. In a crisis, you act decisively but keep the right stakeholders informed. Investigate and respond to cloud-native security signals (e.g., AWS GuardDuty, unusual IAM or network activity)

Qualifications & Experience

  • Experience with Cloudflare at scale (WAF, Workers, rate limiting, bot management)
  • Experience with AWS security tooling (e.g., GuardDuty, IAM analysis, CloudTrail)
  • Familiarity with dependency and supply chain security practices
  • Familiarity with bug bounty platforms (e.g., Intigriti, HackerOne)
  • Experience with vendor-approved security scanners and integrating them into workflows (e.g., SAST, DAST, dependency scanning)
  • Familiarity with compliance automation tools (e.g., Vanta, Drata)
  • Compliance Literacy: Knowledge of PCI DSS or SOC II frameworks. You understand how to translate technical security controls into audit-ready evidence.

Details

  • Fully remote based in Mexico or Brazil
  • Salary depending on experience and location

Benefits & Perks

  • Fully remote work from the comfort of your home
  • Eligibility for employee equity plan (stock options)
  • Reimbursement package for home office expenses and professional development, up to $1.5k
  • Generous time off policy of 21 days (birthday included 🎉), 8 holidays of your choice, and 2 paid volunteer days
  • Wellness program with fitness and mindfulness classes
  • Love your work and our mission of serving nonprofits!

The Application Process

We have 6 stages:

  1. Apply here and fill out our questions to tell us about you!
  2. Prescreen Call with the Talent Team
  3. Interview with Hiring Manager
  4. Assignment
  5. Panel/Final Interview
  6. Background & Reference Checks

If this sounds like the right role for you, please apply today and let us know why. We look forward to hearing from you!

Share this job:
Please let Donorbox know you found this job on Remote First Jobs 🙏

9376 similar remote jobs

Explore latest remote opportunities and join a team that values work flexibility.

View all jobs
WRITER logo

Security Engineer Application Security

WRITER

2 Months ago
WRITER logo

Security Engineer Application Security

WRITER

2 Months ago
CoreWeave logo

Security Assurance Engineering Senior Security Production Engineer

CoreWeave

$165k-$242k 2 Months ago
PandaDoc logo

Application Security Engineer

PandaDoc

$70k-$82k New
Flywire logo

Application Security Engineer

Flywire

New
true logo

Senior Application Security Engineer

true

$150k-$205k New

Remote companies like Donorbox

Find your next opportunity with companies that specialize in Nonprofits, Fundraising, Donor Relationship Management, and Fundraising Coaching. Explore remote-first companies like Donorbox that prioritize flexible work and home-office freedom.

All companies
Givebutter Logo

Givebutter

51-200 www.givebutter.com

An all-in-one fundraising platform for nonprofits, offering donation forms, events, CRM, and marketing tools.

View company profile →
Driving Out Domestic Violence Logo

Driving Out Domestic Violence

11-50 qgiv.com

A fundraising platform for nonprofits, offering tools for donations, events, peer-to-peer campaigns, and donor insights.

View company profile →
Bloomerang Logo

Bloomerang

201-500 bloomerang.com

A Giving Platform with fundraising, CRM, and volunteer management software for nonprofits.

View company profile →
Classy Logo

Classy

201-500 www.classy.org

Online fundraising software for nonprofits to connect with donors and track their impact.

View company profile →
Constant Contact Logo

Constant Contact

1001-5000 www.constantcontact.com

Digital marketing tools for small businesses and nonprofits, including email, social media, and SMS.

View company profile →
Fundraise Up Logo

Fundraise Up

51-200 fundraiseup.com

A technology company providing a donation platform for nonprofits to optimize online giving.

View company profile →

Project: Career Search

Rev. 2026.4

[ Remote Jobs ]
Direct Access

We source jobs directly from 21,000+ company career pages. No intermediaries.

Search Jobs Post a Job
01

Discover Hidden Jobs

Unique jobs you won't find on other job boards.

02

Advanced Filters

Filter by category, benefits, seniority, and more.

03

Priority Job Alerts

Get timely alerts for new job openings every day.

04

Manage Your Job Hunt

Save jobs you like and keep a simple list of your applications.

21,000+ SOURCES UPDATED 24/7
Apply