Who is Flock?

Every community deserves to be safe, it’s a fundamental right. Our mission is simple - to build technology that reduces crime and protects privacy. Flock partners with cities, businesses, schools, and neighborhoods to help protect where people live, work, and play. Last year, Flock technology supported over 1 million criminal investigations. We've also helped solve approximately 20% of reported crimes in areas where we're deployed, and have played a role in locating more than 10,000 missing people.

We are a high-performance team united by urgency, ownership, and a shared commitment to meaningful impact. The work is fast-paced and the expectations are high. We push beyond perceived limits, support each other, and hold ourselves accountable to delivering results that matter.

With over $1B in funding and an $8.3B valuation, we are scaling with intention and investing in the people who will help us build what others said could not be done. At Flock, you will find the opportunity to grow quickly, take on real responsibility, and contribute to something bigger than yourself.

The Opportunity

As a Staff Product Security Engineer, PSIRT Lead, you will stand up and run Flock's Product Security Incident Response Team (PSIRT) as the single point of accountability for every externally-reported and internally-discovered vulnerability that touches a Flock product. Coordinating with product teams about fixes happens as much as coordinating with your security counterparts for security validation.

You will be the operational owner of our newly established CNA, the technical owner of our Coordinated Vulnerability Disclosure (CVD) program, and the cross-functional coordinator who drives fixes to closure across Hardware, Firmware, Device SRE, Cloud SRE, Mobile, ML, Legal, Comms, and Customer Support.

This is an individual contributor role with no direct reports. You will lead by influence across engineering, legal, communications, and support, setting the SLAs, the metrics, the playbooks, and the public security advisories that the rest of the company executes against.

While you will partner closely with our Detection & Response team and Corporate Security, PSIRT is distinctly product-focused: every cycle you spend should reduce risk for the devices in the field and the customers who depend on them.

The Skillset

• 7+ years in security engineering with at least 4 years directly running or leading a PSIRT, product security, or coordinated vulnerability disclosure function. Experience at a company that ships connected hardware (LPR/IP cameras, ICS/OT, automotive, medical, or networking gear) is highly preferred.

• Demonstrated end-to-end ownership of the FIRST PSIRT Services Framework v1.1 service areas (Stakeholder Ecosystem, Discovery, Triage, Remediation, Disclosure). You can talk credibly about how you implemented each in a previous role.

• Hands-on operational experience acting as a CVE Numbering Authority (CNA) or leading the technical onboarding of one. Deep knowledge of CNA Operational Rules v4.x, CVE scope definition, and root coordination (CISA ICS-CERT, MITRE).

• Deep familiarity with ISO/IEC 29147 (disclosure), ISO/IEC 30111 (handling), the CERT/CC Guide to CVD, and CISA Binding Operational Directive 20-01.

• Strong technical understanding across product security, with deep operational experience in at least three of the following (areas 1 and 2 are highly prioritized):

  • Embedded/Firmware Security (Secure boot, hardware root of trust, UART/JTAG/USB attack surfaces, OTA integrity).

  • Linux/Android Device Security.

  • Cloud Security on AWS (IAM, EKS, federation, secrets management).

  • Mobile/Web App Security (OWASP Top 10, GraphQL, authn/authz).

  • ML/CV Model Security (Adversarial inputs, data poisoning, extraction).

• Fluent with CVSS v3.1/v4.0, CWE classification, EPSS, and SSVC frameworks. You can defend a severity decision in front of an engineering VP and an external researcher in the same week without changing your story.

• Exceptional written skills. You can draft a sharp, customer-facing security advisory, a precise CVE record, an internal postmortem, and a board-level executive summary of the same event—tailoring the tone perfectly to each audience.

• Ability to obtain and maintain CJIS certification as a condition of employment.

Feeling uneasy that you haven’t ticked every box? That’s okay; we’ve felt that way too. Studies have shown women and minorities are less likely to apply unless they meet all qualifications. We encourage you to break the status quo and apply to roles that would make you excited to come to work every day.

90 Days at Flock

We prescribe to 90 day plans and believe that good days lead to good weeks, which lead to good months. This serves as a preview of the 90 day plan you will receive if you were to be hired in this role at Flock.

The First 30 Days

• The First 30 Days

  • Assess the existing product security and incident response landscape across our product and infrastructure ecosystem.

  • Establish relationships with key cross-functional stakeholders across Engineering, Product, Legal, Communications, Customer Support, and Operations to define a collaborative incident response matrix.

  • Draft a baseline Product Security Incident Response Team (PSIRT) operating model—including intake channels, triage SLAs, severity rubrics, and disclosure policies—for leadership review.

The First 60 Days

• Complete onboarding with relevant vulnerability management authorities and validate the end-to-end workflow by successfully processing an initial identifier assignment.

• Establish central tracking workflows and documentation templates to streamline and automate the logging, remediation, and reporting of security findings.

90 Days & Beyond

• Manage response operations against established SLAs, tracking key metrics like time-to-triage, time-to-fix, and time-to-disclose, and deliver regular performance updates to leadership.

• Execute coordinated public security advisories when necessary, ensuring patches, customer communications, and public disclosures are seamlessly synchronized.

Salary & Equity

In this role, you’ll receive a starting salary between $185,000 and $230,000 as well as Flock Stock Options. Base salary is determined by job-related experience, education/training, as well as market indicators. Your recruiter will discuss this in-depth with you during our first chat.

Location

We’re building the impossible, together. To drive innovation through in-person collaboration, we’re prioritizing candidates in our key hubs: Atlanta, Boston, Chicago, Denver, Los Angeles, New York City, San Francisco, and Austin. While we value the energy of our hub communities, we embrace remote work and welcome applications from exceptional talent across the United States.

The Perks

🌴Flexible PTO: We offer non-accrual PTO, plus 11 company holidays.

⚕️Fully-paid health benefits plan for employees: including Medical, Dental, and Vision and an HSA match.

👪Family Leave: All employees receive 12 weeks of 100% paid parental leave. Birthing parents are eligible for an additional 6-8 weeks of physical recovery time.

🍼Fertility & Family Benefits: We have partnered with Maven, a complete digital health benefit for starting and raising a family. Flock will provide a $50,000-lifetime maximum benefit related to eligible adoption, surrogacy, or fertility expenses.

🧠Spring Health: Spring Health offers a variety of mental health benefits, including therapy, coaching, medication management, and digital tools, all tailored to each individual's needs.

💖Caregiver Support: We have partnered with Cariloop to provide our employees with caregiver support

💸Carta Tax Advisor: Employees receive 1:1 sessions with Equity Tax Advisors who can address individual grants, model tax scenarios, and answer general questions.

💚ERGs: We want all employees to thrive and feel like they belong at Flock. We offer four ERGs today - Women of Flock, Flock Proud, LEOs and Melanin Motion. If you are interested in talking to a representative from one of these, please let your recruiter know.

💻WFH Stipend: $150 per month to cover the costs of working from home.

📚Productivity Stipend: $300 per year to use on Audible, Calm, Masterclass, Duolingo and so much more.

🏠Home Office Stipend: A one-time $750 to help you create your dream office.

If an offer is extended and accepted, this position requires the ability to obtain and maintain Criminal Justice Information Services (CJIS) certification as a condition of employment. Applicants must meet all FBI CJIS Security Policy requirements, including a fingerprint-based background check.

Flock is an equal opportunity employer. We celebrate diverse backgrounds and thoughts and welcome everyone to apply for employment with us. We are committed to fostering an environment that is inclusive, transparent, and collaborative. Mutual respect is central to how Flock operates, and we believe the best solutions come from diverse perspectives, experiences, and skills. We embrace our differences and know that we are stronger working together.

If you need assistance or an accommodation due to a disability, please email us at [email protected]. This information will be treated as confidential and used only to determine an appropriate accommodation for the interview process.

At Flock, we compensate our employees fairly for their work. Base salary is determined by job-related experience, education/training, as well as market indicators. The range above is representative of base salary only and does not include equity, sales bonus plans (when applicable) and benefits. This range may be modified in the future. This job posting may span more than one career level.

Flock is aware of fraudulent individuals and agencies falsely claiming to represent our company. All legitimate communication from Flock will come from an email address ending in @flocksafety.com. We do not make job offers through messaging apps, social platforms, or unauthorized third parties, and we will never request payment or sensitive personal information during the hiring process. If you encounter suspicious outreach related to a Flock role, please report it to [email protected]