PSIRT & Vulnerability Management Analyst

As the global leader in high-speed connectivity, Ciena is committed to a people-first approach. Our teams enjoy a culture focused on prioritizing a flexible work environment that empowers individual growth, well-being, and belonging. We’re a technology company that leads with our humanity—driving our business priorities alongside meaningful social, community, and societal impact.

How You Will Contribute:

Ciena’s Product Security organization is expanding its PSIRT capability to strengthen how we receive, investigate, coordinate, and respond to product security vulnerabilities. We are looking for a hands-on PSIRT Analyst who can support vulnerability intake, triage, technical analysis, disclosure coordination, and cross-functional response activities across Ciena’s product portfolio.

This role is ideal for someone with a strong foundation in vulnerability management, product security, incident response, secure software practices, and technical communication. The PSIRT Analyst will work closely with product engineering, security architecture, legal, PLM, customer-facing teams, and external researchers to ensure product security issues are handled in a consistent, timely, and defensible manner.

• Support day-to-day PSIRT operations, including vulnerability intake, triage, validation, tracking, remediation coordination, and disclosure support.
• Review and analyze vulnerability reports from internal teams, customers, researchers, third-party coordinators, suppliers, and public sources.
• Perform initial technical assessment of reported vulnerabilities, including exploitability, affected products, attack vectors, severity, and potential customer impact.
• Partner with engineering teams to validate findings, identify affected versions, determine remediation options, and track fixes through closure.
• Support CVSS scoring, risk rating, and vulnerability prioritization based on product context, exploitability, exposure, and customer deployment scenarios.
• Assist in drafting and reviewing security advisories, customer communications, vulnerability summaries, and technical response statements.
• Coordinate with Legal, PLM, Customer Support, and Security leadership on vulnerability disclosure timelines, customer impact, and external communications.
• Monitor external vulnerability sources, including vendor advisories, open-source disclosures, CISA alerts, NVD, exploit databases, and threat intelligence feeds.
• Support supplier and third-party component vulnerability analysis, including SBOM, VEX, open-source package exposure, and inherited vulnerability tracking.
• Maintain PSIRT records, metrics, dashboards, and process documentation to support auditability, regulatory readiness, and leadership reporting.
• Participate in PSIRT tabletop exercises, lessons learned, process improvements, and maturity initiatives.
• Help translate PSIRT findings into product security improvements, including secure-by-default requirements, detection opportunities, hardening guidance, and product lifecycle feedback.
• Support regulatory and industry alignment activities related to vulnerability handling, coordinated disclosure, EU CRA, NIS2, NIST SSDF, ISO, and other product security expectations.

The nice to haves:

• 3+ years of experience in product security, PSIRT, vulnerability management, incident response, application security, or security engineering.
• Strong understanding of vulnerability lifecycle management, including intake, triage, validation, remediation tracking, disclosure, and advisory publication.
• Familiarity with CVSS scoring, CWE, CVE, CPE, EPSS, KEV, and vulnerability prioritization methods.
• Experience analyzing vulnerabilities across software, firmware, operating systems, open-source components, networking products, cloud services, or embedded systems.
• Ability to review vulnerability reports, reproduce issues when needed, and communicate technical risk clearly to engineering and leadership teams.
• Working knowledge of secure software development practices, threat modeling, SCA, SAST, DAST, penetration testing, and remediation validation.
• Familiarity with JIRA, ServiceNow, GitHub/GitLab, vulnerability scanners, SBOM tools, and security tracking workflows.
• Understanding of coordinated vulnerability disclosure practices, customer security communications, and advisory publication processes.
• Strong written communication skills with the ability to create clear, accurate, and customer-ready security content.
• Ability to work across engineering, legal, PLM, support, compliance, and customer-facing teams.
• Bachelor’s degree in Computer Science, Cybersecurity, Information Security, Engineering, or related field, or equivalent practical experience.

Assets:

• Prior experience working in a formal PSIRT, CERT, product security, or vulnerability disclosure program.
• Experience with networking, telecom, embedded systems, Linux-based products, or infrastructure software.
• Familiarity with FIRST, CVE CNA practices, ISO/IEC 29147, ISO/IEC 30111, NIST SSDF, and secure product development frameworks.
• Experience supporting customer-facing security advisories, vulnerability statements, or regulatory responses.
• Hands-on scripting or automation experience using Python, shell scripting, APIs, or data normalization workflows.
• Experience with SBOM/VEX workflows, open-source vulnerability analysis, supplier security, or third-party component risk.
• Security certifications such as Security+, GSEC, SSCP, CISSP, CEH, OSCP, or equivalent practical experience are a plus.

At Ciena, we are committed to building and fostering an environment in which our employees feel respected, valued, and heard.  Ciena values the diversity of its workforce and respects its employees as individuals. We do not tolerate any form of discrimination.

Ciena is an Equal Opportunity Employer, including disability and protected veteran status.

If contacted in relation to a job opportunity, please advise Ciena of any accommodation measures you may require.