Vulnerability Research Engineer (N-Day Analysis)
STAR LABS SG PTE. LTD.
Key Responsibilities
- Triage newly disclosed vulnerabilities (CVEs, vendor advisories, security research) to assess real-world exploitability and impact.
- Reproduce and verify publicly reported or vendor-patched vulnerabilities in controlled lab environments to confirm exploitability and characterize attacker preconditions.
- Perform patch diffing and root-cause analysis to understand how a vulnerability works and how it's likely to be exploited in practice.
- Document findings in structured, standardised formats for ingestion into the threat intelligence portal (technical writeups, exploitation timelines, affected versions, indicators).
- Develop detection artefacts (e.g. signatures, indicators of compromise) alongside PoC verification work, where relevant.
- Track and correlate vulnerability disclosures against real-world exploitation evidence and threat actor activity.
- Contribute technical research to the company's blog posts, advisories and reports that build STAR Labs SG's reputation in the vulnerability intelligence space.
- Operate within a clear responsible disclosure and data-handling framework. All work is documented, defensively purposed, and consistent with coordinated vulnerability disclosure norms.
Requirements
- Strong background in vulnerability research, reverse engineering, or exploit analysis (CTF experience, CVEs, bug bounty history, or equivalent portfolio).
- Solid understanding of common vulnerability classes (memory corruption, injection, auth bypass, deserialization, etc.) across at least one major platform (web, Windows, Linux, or embedded).
- Experience with reverse engineering and debugging tools (e.g. Ghidra, IDA Pro, WinDbg, gdb).
- Ability to write clear, structured technical analysis for both technical and non-technical audiences.
- Comfortable working with a defined, documented research and disclosure process rather than ad hoc offensive tooling development.
- Experience with patch diffing tools and techniques.
- Familiarity with threat intelligence concepts (KEV, exploitation-in-the-wild tracking, IOC/detection engineering).
- Prior published vulnerability research, CVEs, or conference talks.
- Scripting/automation skills (Python) for research tooling and data pipelines.