Anthropic· Technical Program Management · San Francisco, CA | New York City, NY | Seattle, WA
Technical Program Manager, Security (Coordinated Vulnerability Disclosure)
Classified Tasks (23)
Automate 4%Augment 57%Human-Only 39%
Automate (1)
Fully handled by AI agents
Deduplicate findings against known CVEs
technical
Augment (13)
AI assists, human decides
Ensure every finding reaches the appropriate maintainer
operational
Ensure findings are submitted at an appropriate pace scaled to maintainer capacity
operational
Ensure every finding includes the necessary context for maintainers
communication
Notify maintainers of identified vulnerabilities
communication
Track remediation progress and maintain remediation records
operational
Set minimum confidence thresholds for vulnerability findings
analytical
Ensure every report sent to a maintainer meets Anthropic's quality bar
communication
Implement severity-based disclosure windows with appropriate extension policies
operational
Develop rate-limiting frameworks that govern how many findings are submitted to each project
operational
Scale pacing and submission models to maintainer capacity and project size
operational
Define and track program health metrics such as fix rates, false-positive rates, median time-to-patch, and qualitative maintainer feedback
analytical
Use program metrics to inform decisions about program expansion, pacing adjustments, and policy updates
analytical
Coordinate with Security Engineering, Legal, Communications, Product, and Frontier Red Team to align CVD activities and disclosures
communication
Human-Only (9)
Requires human judgment
Build and lead programs that govern responsible disclosure of software vulnerabilities discovered by Anthropic's AI tools
leadership
Ensure Anthropic meets Responsible Scaling Policy (RSP) compliance requirements during disclosure
operational
Own the end-to-end coordinated vulnerability disclosure (CVD) lifecycle from AI-generated finding through external disclosure
leadership
Define and drive the roadmap for coordinated vulnerability disclosure from detection through notification, remediation tracking, and public disclosure
leadership
Establish and manage the human review process that validates AI-generated findings before external disclosure
operational
Validate AI-generated findings through human triage and quality assurance
operational
Manage relationships with open-source maintainers and closed-source vendors
communication
Serve as the primary point of contact for vulnerability coordination and escalate when maintainers are unresponsive
communication
Drive phased rollout of the CVD program from initial trusted partners through broader open-source engagement
leadership
Job description
About Anthropic Anthropic’s mission is to create reliable, interpretable, and steerable AI systems. We want AI to be safe and beneficial for our users and for society as a whole. Our team is a quickly growing group of committed researchers, engineers, policy experts, and business leaders working together to build beneficial AI systems. About the Role As a Technical Program Manager for Security, Coordinated Vulnerability Disclosure (CVD), you will build and lead the programs that govern how Anthropic responsibly discloses software vulnerabilities discovered by our AI-powered tools, including Claude, Patchy, and Claude Code. These tools have already found real zero-days in Firefox, the Linux kernel, and other critical software. The challenge is no longer just finding vulnerabilities; it is managing the consequences of finding them at unprecedented scale and speed. Traditional coordinated disclosure frameworks were designed for a world where a researcher might find one serious vulnerability every few weeks. AI-powered discovery has changed that equation entirely; Claude can surface hundreds of findings in a single codebase in a single day. This role exists to ensure that every finding reaches the right maintainer, at the right pace, with the right context, and that Anthropic meets its Responsible Scaling Policy (RSP) commitments in the process. You will own the end-to-end CVD lifecycle: from internal triage and human validation of AI-generated findings, through tiered disclosure timelines, to external coordination with vendors, open-source maintainers, and organizations. This role requires deep collaboration across Security Engineering, Legal, Communications, Product, and Frontier Red Team to ensure Anthropic operates as a responsible steward of the vulnerabilities its tools discover. Responsibilities: Own end-to-end CVD program strategy and execution: Define and drive the roadmap for coordinated vulnerability disclosure, from AI-generated finding through maintainer notification, remediation tracking, and public disclosure. Ensure alignment with Anthropic’s security posture and RSP compliance requirements. Lead internal triage and quality assurance: Establish and manage the human review process that validates all AI-generated findings before external disclosure. Set minimum confidence thresholds, deduplicate against known CVEs, and ensure every report sent to a maintainer meets Anthropic’s quality bar. Design and operate tiered disclosure timelines: Implement severity-based disclosure windows with appropriate extension policies. Build and manage pacing and submission models: Develop rate-limiting frameworks that govern how many findings are submitted to each project, scaled to maintainer capacity and project size. Lead external coordination and partner engagement: Manage relationships with open-source maintainers and closed-source vendors. Serve as the primary point of contact for vulnerability coordination, including escalation when maintainers are unresponsive. Drive the phased rollout from initial trusted partners through broader open-source engagement. Establish program metrics and reporting: Define and track the metrics that determine program health, including fix rates, false-positive rates, median time-to-patch, and qualitative maintainer feedback. Use these metrics to inform decisions about program expansion, pacing adjustments, and policy updates. Drive response category classification: Manage the process for classif