Brave Software believes that working with security researchers across the
globe is crucial in making the web safer. If you believe you've found a
security issue in our product or service, we encourage you to notify us. We
welcome working with you to resolve the issue promptly. Thanks in advance!
As of August 1 2018, we are only soliciting high-severity reports
regarding our primary Muon-based desktop browser. This is part of a shift from
a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-
centered codebase becomes more mature, it will become the focus of the bounty
We prefer it when hackers file one report per bug, no matter how many
different ways that underlying issue can be exploited. This makes it easier
for us to understand what you're reporting and track our progress in fixing
the issue. If fixing the problem described in one report would also prevent
the troubling behavior described in another report of yours, those issues
should probably be combined.
This is approximately how much we expect to pay for reports. Understand that
this is a guide — it 's meant to help set expectations.
- "not applicable" — Reports about things that we have specifically noted as out of scope.
- "informative" — We're aware of this, or we don't really see it as a security issue.
- $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.
- ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.
- ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release.
- ≤$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.
Most of the bounties we award are $50. Very few of them are more than $250.
The sweet spot for this program is $100-$250 — that's where we'd like to see
most of the reports we work on.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A 7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).
- Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html __.
- Security issues in any repo owned by https://github.com/brave-intl __(not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.
- Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b
The following bug classes are out-of scope:
- Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave __), or that we already know of. Note that some of our issue trackers are private.
- Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.
- Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.
- Login/logout CSRF
- Attacks requiring physical access to a user's device.
- New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.
- Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.
- Issues related to software or protocols not under Brave's control
- Vulnerabilities in outdated versions of Brave
- Redirect continuation URL vulnerabilities
- Missing security best practices that do not directly lead to a vulnerability
- Issues that do not have any impact on the general public
- Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore __) are no longer in scope.
- Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.
- Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.
While researching, we'd like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of Brave Software staff or contractors
- Any physical attempts against Brave Software property or data centers
Thank you for helping keep Brave Software and our users safe!
Hall of Fame