Technical Program Manager, Security (Coordinated Vulnerability Disclosure)

About the Role

As a Technical Program Manager for Security, Coordinated Vulnerability Disclosure (CVD), you will build and lead the programs that govern how Anthropic responsibly discloses software vulnerabilities discovered by our AI-powered tools, including Claude, Patchy, and Claude Code. These tools have already found real zero-days in Firefox, the Linux kernel, and other critical software. The challenge is no longer just finding vulnerabilities; it is managing the consequences of finding them at unprecedented scale and speed.

Traditional coordinated disclosure frameworks were designed for a world where a researcher might find one serious vulnerability every few weeks. AI-powered discovery has changed that equation entirely; Claude can surface hundreds of findings in a single codebase in a single day. This role exists to ensure that every finding reaches the right maintainer, at the right pace, with the right context, and that Anthropic meets its Responsible Scaling Policy (RSP) commitments in the process.

You will own the end-to-end CVD lifecycle: from internal triage and human validation of AI-generated findings, through tiered disclosure timelines, to external coordination with vendors, open-source maintainers, and organizations. This role requires deep collaboration across Security Engineering, Legal, Communications, Product, and Frontier Red Team to ensure Anthropic operates as a responsible steward of the vulnerabilities its tools discover.

Responsibilities:

• Own end-to-end CVD program strategy and execution: Define and drive the roadmap for coordinated vulnerability disclosure, from AI-generated finding through maintainer notification, remediation tracking, and public disclosure. Ensure alignment with Anthropic’s security posture and RSP compliance requirements.
• Lead internal triage and quality assurance: Establish and manage the human review process that validates all AI-generated findings before external disclosure. Set minimum confidence thresholds, deduplicate against known CVEs, and ensure every report sent to a maintainer meets Anthropic’s quality bar.
• Design and operate tiered disclosure timelines: Implement severity-based disclosure windows with appropriate extension policies. 
• Build and manage pacing and submission models: Develop rate-limiting frameworks that govern how many findings are submitted to each project, scaled to maintainer capacity and project size. 
• Lead external coordination and partner engagement: Manage relationships with open-source maintainers and closed-source vendors. Serve as the primary point of contact for vulnerability coordination, including escalation when maintainers are unresponsive. Drive the phased rollout from initial trusted partners through broader open-source engagement.
• Establish program metrics and reporting: Define and track the metrics that determine program health, including fix rates, false-positive rates, median time-to-patch, and qualitative maintainer feedback. Use these metrics to inform decisions about program expansion, pacing adjustments, and policy updates.
• Drive response category classification: Manage the process for classifying findings into response categories (latent vulnerability, active exploitation, ecosystem-level pattern) and ensure the appropriate response protocol is triggered for each category.
• Lead cross-functional coordination: Manage stakeholder relationships across Security Engineering, Legal, Communications, Product, and Frontier Red Team to drive alignment and execution on disclosure initiatives. Ensure legal review of disclosure timelines and coordinate public communications around significant findings.
• Collaborate with