Job Description

OSS-SIRT Director

Company Description

The Linux Foundation is a 501(c)(6) non-profit that provides a neutral, trusted hub for developers and organizations to code, manage, and scale open technology projects and ecosystems.

The Open Source Security Foundation (OpenSSF) is a cross-industry organization at the Linux Foundation that brings together the industry's most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

Job Description

The OSS-SIRT Director is the senior program leader responsible for standing up, governing, and operating the OpenSSF's OSS-SIRT and OSS-VulnDB capability. This role combines program leadership, policy stewardship, ecosystem coordination, and incident-response governance, serving as the public and internal face of the program.

The Director ensures the program delivers trusted, neutral, high-quality vulnerability coordination aligned with OSV, CVE/CNA practices, CRA expectations, and OpenSSF's upstream-first principles.

Responsibilities

• Own the OSS-VulnDB + OSS-SIRT roadmap, milestones, and delivery across transitions from MVP to public beta to steady state

• Establish and operate OSS-SIRT governance, policies, disclosure timelines, and escalation paths

• Serve as primary liaison to:

  • CVE Program / CNAs

  • OSV and federated VulnDB operators

  • Regulators and public-sector stakeholders (e.g., CRA-aligned reporting pathways)

• Define and enforce data quality, curation, and dispute-resolution policies

• Lead incident coordination for complex, multi-party vulnerabilities affecting critical OSS

• Oversee program KPIs, risk management, reporting, and budget execution

• Partner with OpenSSF working groups on standards alignment (OSV, VEX, SBOM, CWE)

• Support funding sustainability efforts (founding partners, grants, member engagement)

Travel: Up to 20%

Qualifications

Prerequisites

• 10+ years in security program management, PSIRT/SIRT leadership, or large-scale security operations

• Direct experience with coordinated vulnerability disclosure (CVD)

• Familiarity with CVE, CNA operations, OSV, NVD, and vulnerability lifecycles

• Proven ability to operate in multi-stakeholder, neutral governance environments

• Strong policy, communication, and executive-level briefing skills

Desirable Skills and Background

• Open source foundation or standards-body leadership

• Exposure to global regulatory frameworks (CRA, NIS2, SSDF, etc.)

• Incident leadership for ecosystem-wide vulnerabilities (e.g., Log4Shell-class events)

Success Metrics (First 24 Months)

• OSS-SIRT operational within 90 days

• MVP VulnDB + workflows live within 6 months

• Measurable reduction in time-to-publication and data-quality gaps

• Successful onboarding of initial ecosystems and partners

Additional Information

Salary: $185,000 – $210,000 USD

All your information will be kept confidential according to EEO guidelines.

Job Tags

Similar Jobs