Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
12/10/2016
Brave Software logo
Thanks
Gift
Hall of Fame
Reward

Reward

50 $ 

Brave Software

Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!

???? Recent Changes

Last change — August 21 2019
This section summarizes what's changed in roughly the last six months. It's only a summary, though — the full policy is below the changelog.

  • ⚠️ As of November 8 2018, we are no longer soliciting reports for our legacy iOS codebase __. Only issues which are reproducible on our newer iOS revision __will be eligible for a bounty.
  • ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.
  • ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.
  • ℹ️On March 15 2019, we noted that non-default extensions are out of scope.
  • ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.
  • ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.
  • ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.
  • ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.
  • ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.

???? Bounty Schedule

This is approximately how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.

  • "not applicable" — Reports about things that we have specifically noted as out of scope.
  • "informative" — We're aware of this, or we don't really see it as a security issue.
  • $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]
  • ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.
  • ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.
  • ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.
  • ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.
  • Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.

Most of the bounties we award are $50-$150. Very few of them are more than $250.

????‍???? Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.
  • We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.

ℹ️ Program notes

  • The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.
  • We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.
  • We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email security@brave.com. We would prefer that you not personally message Brave team members on other platforms or channels.

✅ In-scope

  • Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html __.
  • Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.
  • Security issues in any repo owned by https://github.com/brave-intl __or https://github.com/brave __(not forked) that is not deprecated or archived.
  • Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b
  • Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.

❌ Exclusions

The following products are out of scope:

Issues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.

⭕️The following bug classes are out-of scope:

  • Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave __, https://github.com/brave-intl __), or that we already know about. Note that some of our issue trackers are private.
  • Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.
  • In particular, bugs on community.brave.com or forum.batcommunity.org should be reported to Discourse, not Brave: https://hackerone.com/discourse
  • Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.
  • Login/logout CSRF
  • Attacks requiring physical/local access to a user's device.
  • New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.
  • Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.
  • Self-XSS
  • Issues related to software or protocols not under Brave's control
  • Vulnerabilities in outdated versions of Brave
  • Redirect continuation URL vulnerabilities
  • Missing security best practices that do not directly lead to a vulnerability
  • Issues that do not have any impact on the general public
  • Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore __) are no longer in scope.
  • Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.
  • Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.
  • A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.
  • Bugs in browser extensions which are not enabled/installed by default in Brave.
  • Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)

While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Brave Software staff or contractors
  • Any physical attempts against Brave Software property or data centers

Thank you for helping keep Brave Software and our users safe!

In Scope

Scope Type Scope Name
android_application

com.brave.browser

ios_application

com.brave.ios.browser

web_application

publishers.basicattentiontoken.org

web_application

https://github.com/brave/browser-android-tabs

web_application

https://github.com/brave/brave-ios

web_application

https://github.com/brave/vault-updater

web_application

https://github.com/brave-intl/publishers

web_application

https://github.com/brave-intl/bat-publisher

web_application

https://github.com/brave-intl/bat-go

web_application

https://github.com/brave-intl/bat-balance

web_application

https://github.com/brave-intl/bat-client

web_application

https://github.com/brave-intl/bat-ledger

web_application

https://laptop-updates.brave.com/latest/winia32

web_application

https://laptop-updates.brave.com/latest/dev/ubuntu64

web_application

https://laptop-updates.brave.com/latest/linux64

web_application

https://laptop-updates.brave.com/latest/openSUSE64

web_application

https://laptop-updates.brave.com/latest/winx64

web_application

https://laptop-updates.brave.com/latest/fedora64

web_application

https://laptop-updates.brave.com/latest/mint64

web_application

https://laptop-updates.brave.com/latest/dev/debian64

web_application

https://laptop-updates.brave.com/latest/osx

web_application

brave.com

web_application

basicattentiontoken.org

Out of Scope

Scope Type Scope Name
android_application

com.linkbubble.playstore

undefined

https://github.com/brave/browser-laptop

undefined

https://github.com/brave/muon

undefined

https://github.com/brave/link-bubble

web_application

https://github.com/brave/browser-ios


This programe feature scope type like web_application, ios_application, android_application.

FireBounty © 2015-2019

Legal notices