[{"id":3774713,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We do not issue CVEs except for severe issues with wide public impact. Reports will be disclosed at our discretion. \n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n* Bypasses that grant Brave Origin access without payment are generally out of scope\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are:\n\n1.  covered by an exclusion above;\n2. cannot be reproduced using the steps defined in the report in a production environment;\n3. do not concisely define how to reproduce the report;\n4. do not have anything to do with Brave;\n5. appears to be AI generated without human validation (is overly verbose and/or contains bogus claims, even if some claims are valid).\n\nWe reserve the right to ban you from our program after 2 reports closed as N/A or Spam.  If you cannot produce a reproducible proof of concept, please file an issue or open a pull request instead.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Due to high AI-generated report volume, we may temporarily pause report submissions from time to time. During these times you may still submit reports via the contact method listed in our main site's security.txt.","platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"We have received too many AI generated reports about this finding with no security impact. We will only reward for this finding if identifiers are leaked or predictable.\"}","{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"We have received too many AI generated reports.\"}","{\"platform_standard\":\"VULNERABLE_NETWORK_CONNECTION_IN_CLIENT_APPLICATIONS\",\"justification\":\"We have received too many AI generated reports.\"}","{\"platform_standard\":\"THIRD_PARTY_COMPONENTS_FOR_PROGRAMS_CONSUMING_THE_COMPONENT\",\"justification\":\"We do not award for upstream issues generally.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-05-22T03:18:13.768Z"},{"id":3774712,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We do not issue CVEs except for severe issues with wide public impact. Reports will be disclosed at our discretion. \n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n* Bypasses that grant Brave Origin access without payment are generally out of scope\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are:\n\n1.  covered by an exclusion above;\n2. cannot be reproduced using the steps defined in the report in a production environment;\n3. do not concisely define how to reproduce the report;\n4. do not have anything to do with Brave;\n5. appears to be AI generated without human validation (is overly verbose and/or contains bogus claims, even if some claims are valid).\n\nWe reserve the right to ban you from our program after 2 reports closed as N/A or Spam.  If you cannot produce a reproducible proof of concept, please file an issue or open a pull request instead.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"We have received too many AI generated reports about this finding with no security impact. We will only reward for this finding if identifiers are leaked or predictable.\"}","{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"We have received too many AI generated reports.\"}","{\"platform_standard\":\"VULNERABLE_NETWORK_CONNECTION_IN_CLIENT_APPLICATIONS\",\"justification\":\"We have received too many AI generated reports.\"}","{\"platform_standard\":\"THIRD_PARTY_COMPONENTS_FOR_PROGRAMS_CONSUMING_THE_COMPONENT\",\"justification\":\"We do not award for upstream issues generally.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-05-22T03:15:22.408Z"},{"id":3774664,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We do not issue CVEs except for severe issues with wide public impact. Reports will be disclosed at our discretion. \n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n* Bypasses that grant Brave Origin access without payment are generally out of scope\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are:\n\n1.  covered by an exclusion above;\n2. cannot be reproduced using the steps defined in the report in a production environment;\n3. do not concisely define how to reproduce the report;\n4. do not have anything to do with Brave;\n5. appears to be AI generated without human validation (is overly verbose and/or contains bogus claims, even if some claims are valid).\n\nWe reserve the right to ban you from our program after 2 reports closed as N/A or Spam.  If you cannot produce a reproducible proof of concept, please file an issue or open a pull request instead.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"We have received too many AI generated reports about this finding with no security impact. We will only reward for this finding if identifiers are leaked or predictable.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-05-20T23:20:08.489Z"},{"id":3774067,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We do not issue CVEs except for severe issues with wide public impact. Reports will be disclosed at our discretion. \n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n* Bypasses that grant Brave Origin access without payment are generally out of scope\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are:\n\n1.  covered by an exclusion above;\n2. cannot be reproduced using the steps defined in the report in a production environment;\n3. do not concisely define how to reproduce the report;\n4. do not have anything to do with Brave;\n5. appears to be AI generated without human validation (is overly verbose and/or contains bogus claims, even if some claims are valid).\n\nWe reserve the right to ban you from our program after 2 reports closed as N/A or Spam.  If you cannot produce a reproducible proof of concept, please file an issue or open a pull request instead.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"We have received too many AI generated reports about this finding with no security impact. We will only reward for this finding if identifiers are leaked or predictable.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-05-12T18:11:19.157Z"},{"id":3774066,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We do not issue CVEs except for severe issues with wide public impact. Reports will be disclosed at our discretion. \n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n* Bypasses that grant Brave Origin access without payment are generally out of scope\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are:\n\n1.  covered by an exclusion above;\n2. cannot be reproduced using the steps defined in the report in a production environment;\n3. do not concisely define how to reproduce the report;\n4. or do not have anything to do with Brave. \n\nWe reserve the right to ban you from our program after 2 reports closed as N/A or Spam.  If you cannot produce a reproducible proof of concept, please file an issue or open a pull request instead.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"We have received too many AI generated reports about this finding with no security impact. We will only reward for this finding if identifiers are leaked or predictable.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-05-12T18:09:56.323Z"},{"id":3773819,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n* Bypasses that grant Brave Origin access without payment are generally out of scope\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are:\n\n1.  covered by an exclusion above;\n2. cannot be reproduced using the steps defined in the report in a production environment;\n3. do not concisely define how to reproduce the report;\n4. or do not have anything to do with Brave. \n\nWe reserve the right to ban you from our program after 2 reports closed as N/A or Spam.  If you cannot produce a reproducible proof of concept, please file an issue or open a pull request instead.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"We have received too many AI generated reports about this finding with no security impact. We will only reward for this finding if identifiers are leaked or predictable.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-05-07T14:28:43.422Z"},{"id":3773818,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations. In some cases (ex: severe critical issue) we will award much higher. \n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ~$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n*~$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n*$1000+ — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n* Bypasses that grant Brave Origin access without payment are generally out of scope\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are:\n\n1.  covered by an exclusion above;\n2. cannot be reproduced using the steps defined in the report in a production environment;\n3. do not concisely define how to reproduce the report;\n4. or do not have anything to do with Brave. \n\nWe reserve the right to ban you from our program after 2 reports closed as N/A or Spam.  If you cannot produce a reproducible proof of concept, please file an issue or open a pull request instead.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":\"We have received too many AI generated reports about this finding with no security impact. We will only reward for this finding if identifiers are leaked or predictable.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-05-07T14:23:25.508Z"},{"id":3772752,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n* Bypasses that grant Brave Origin access without payment are generally out of scope\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are:\n\n1.  covered by an exclusion above;\n2. cannot be reproduced using the steps defined in the report in a production environment;\n3. do not concisely define how to reproduce the report;\n4. or do not have anything to do with Brave. \n\nWe reserve the right to ban you from our program after 2 reports closed as N/A or Spam.  If you cannot produce a reproducible proof of concept, please file an issue or open a pull request instead.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-04-17T13:41:11.288Z"},{"id":3771208,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are:\n\n1.  covered by an exclusion above;\n2. cannot be reproduced using the steps defined in the report in a production environment;\n3. do not concisely define how to reproduce the report;\n4. or do not have anything to do with Brave. \n\nWe reserve the right to ban you from our program after 2 reports closed as N/A or Spam.  If you cannot produce a reproducible proof of concept, please file an issue or open a pull request instead.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-03-17T02:24:54.132Z"},{"id":3770681,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are:\n\n1.  covered by an exclusion above;\n2. cannot be reproduced using the steps defined in the report in a production environment;\n3. do not concisely define how to reproduce the report;\n4. or do not have anything to do with Brave. \n\nWe reserve the right to ban you from our program after 2 reports closed as N/A or Spam.  If you cannot produce a reproducible proof of concept, please file an issue or open a pull request instead.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-03-08T02:53:43.394Z"},{"id":3770680,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above, cannot be reproduced using the steps defined in the report in a production environment, do not concisely define how to reproduce the report, or do not have anything to do with Brave. We reserve the right to ban you from our program after 2 reports closed as N/A or Spam.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-03-08T02:46:10.402Z"},{"id":3770679,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave. We reserve the right to ban you from our program after 2 reports closed as N/A or Spam.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-03-07T21:03:42.523Z"},{"id":3770077,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Browser lock bypasses on iOS as this feature will be deprecated soon. Browser lock bypasses on other platforms will be considered at our discretion.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-02-23T17:19:30.493Z"},{"id":3769753,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Reports which rely on input manipulation without showing that an unprivileged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-02-17T03:55:50.459Z"},{"id":3769752,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Reports which rely on input manipulation without showing that an unpriveleged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* AI generated reports without validating them yourself\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-02-17T03:55:30.786Z"},{"id":3769751,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* Reports which rely on input manipulation without showing that an unpriveleged attacker can manipulate the input.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-02-17T03:55:13.091Z"},{"id":3769571,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n* IDOR related attacks which do not directly show how the UUID is being stolen in the proof of concept\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2026-02-11T23:41:00.342Z"},{"id":3766630,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n## LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-11-26T18:17:33.909Z"},{"id":3766629,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n-         On November 26 2025, we added a section on LLM and AI Agent Security.\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n### LLM and AI Agent Security\n\nAs of November 26 2025, we are temporarily doubling our usual bounties for in-scope LLM and AI Agent Security issues subject to the guidelines below. \n\n**Scope and Approach**\n\nOnly LLM vulnerabilities with direct, verifiable security impact are in scope for this bug bounty program. Content generation issues, jailbreaks, and hallucinations without concrete security consequences should be reported to ai-safety@brave.com.\n\n**Prompt Injection Vulnerabilities**\n\nTo qualify as a valid security issue, prompt injection attacks must demonstrate:\n\n1. **Direct and Verifiable Security Impact** - The vulnerability must result in one or more of the following:\n   - Data leakage (unauthorized access to sensitive information)\n   - Data destruction or modification\n   - Other unauthorized actions performed on behalf of the user that have clear security impact\n\n2. **Unintended Behavior** - The attack must cause the LLM/agent to deviate from the user's intended instructions without explicit user direction.\n\n**Out of Scope:**\n\n- Jailbreaks, safety bypasses, or getting the model to generate harmful content\n- Model hallucinations or pretending to execute actions without actual impact\n- Prompt injections where the user explicitly instructs the AI to follow potentially malicious content (e.g., \"follow instructions on this web page\" where the page contains injection attempts)\n- Attacks requiring the user to directly paste or input malicious prompts themselves\n- System prompt leakage\n- Theoretical vulnerabilities without demonstrated, verifiable security impact\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-11-26T18:16:30.139Z"},{"id":3766376,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service, such as prompt injection causing a browser vulnerability. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are usually out-of-scope unless the DOS issue also leads to remote code execution or disclosure of users' data. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-11-19T20:33:44.404Z"},{"id":3765379,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service, such as prompt injection causing a browser vulnerability. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome (or Safari for iOS) AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n* We reserve the right to close issues which lack an end-to-end proof of concept showing that the attack is feasible.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-10-31T00:46:18.824Z"},{"id":3765374,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service, such as prompt injection causing a browser vulnerability. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome (or Safari for iOS) AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-10-30T19:51:35.597Z"},{"id":3765373,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome (or Safari for iOS) AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-10-30T19:44:49.465Z"},{"id":3765313,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome (or Safari for iOS) AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-10-29T15:50:04.719Z"},{"id":3764811,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* Transaction parsing and warnings displayed in Brave Wallet which would typically be covered by a transaction simulation service.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-10-17T20:32:58.624Z"},{"id":3764516,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs, domains, or other security info is out of scope if it's clear that the info is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-10-11T21:43:03.390Z"},{"id":3762723,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs or domains is out of scope if it's clear that the URL/domain is truncated (ex: with `...`)\n* Leaked credentials on Brave domains are out of scope, unless the leak is due to a security issue in an in-scope Brave product.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-09-14T02:52:54.550Z"},{"id":3760732,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* Spoofing URLs or domains is out of scope if it's clear that the URL/domain is truncated (ex: with `...`)\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-08-06T18:39:52.679Z"},{"id":3759622,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\n\n## AI Generated Reports and Spam\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nSimply asking an AI to identify a bug report in Brave is unlikely to yield a valid report. Before submitting a report generated by AI please ensure you have done enough human work to validate that any issue is (a) in scope, and (b) reachable by constructing a POC, generating an ASAN trace, recording the bug reproducing, or performing your own debugging. Therefore, we also may at our discretion consider these reports spam and close them so please make sure you're authoring high quality reports if relying on AI.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-07-22T01:11:54.161Z"},{"id":3758306,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us.\n* Security issues affecting high-impact web services like https://search.brave.com, https://api-dashboard.search.brave.com/, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Issues which exist upstream in Chromium are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix. (This is very rare.)\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-06-27T18:34:16.902Z"},{"id":3758301,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Chromium security issues are only eligible for a bounty if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-06-27T18:25:09.401Z"},{"id":3758212,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* High severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. This will be decided at our discretion. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-06-26T18:19:18.912Z"},{"id":3756150,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* High severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* Spoofing the displayed URL in brave://downloads is out of scope, as this is a [known issue](https://github.com/brave/brave-browser/issues/46298) inherited from Chromium and the real URL is visible on hover.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-05-23T04:35:57.446Z"},{"id":3756117,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* High severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n* In general, reporting of .brave TLDs should be submitted directly to https://unstoppabledomains.com/abuse. In limited circumstances where an exploit is able to impact a Brave product or service will we consider them in scope.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-05-22T16:31:50.386Z"},{"id":3755807,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* High severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN or other premium account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* brave://downloads showing a different origin from Chrome. As of https://github.com/brave/brave-browser/issues/43501, Brave shows the file download source origin while Chrome shows the referring origin.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-05-16T18:21:08.679Z"},{"id":3755666,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* High severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-05-15T01:10:26.251Z"},{"id":3753928,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows (see below for exclusions), and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* High severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis. Note that Tor windows in Brave generally do NOT have additional fingerprinting protection other than for the user's IP address, as our goals are substantially weaker than Tor Browser's. \n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-04-16T21:43:08.208Z"},{"id":3753218,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* High severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* The download/upload file dialog not showing the origin in some cases\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-04-06T04:50:14.322Z"},{"id":3752678,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* High severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN account access that persists beyond the trial period\n* Email clients automatically creating hyperlinks from text\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-03-30T21:30:21.779Z"},{"id":3752077,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* High severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* VPN account access that persists beyond the trial period\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-03-19T16:50:18.620Z"},{"id":3749166,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n**NOTE: If an issue is out of scope, we will do our best to explain why in 1-2 messages. We may not reply to follow-ups due to limited resources. Please refrain from spamming us or repeating points that have been previously been addressed.**\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* High severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-01-31T04:36:08.224Z"},{"id":3748388,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* High severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Custom exclusions below\",\"details\":\"Please see our program details for the full list of exclusions.\"}"],"timestamp":"2025-01-20T02:05:20.815Z"},{"id":3748387,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On January 19 2025, we added some out-of-scope items and noted that reporting these may damage your reputation.\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. You can see current release numbers at https://brave.com/latest/. Older releases are not in scope.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* High severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* Account takeovers (S3 buckets, NPM packages, etc.) where there is no proof the account was ever owned by Brave.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nAs of January 2025, due to an increased volume of low-quality reports, we may at our discretion close reports as \"Not Applicable\" or \"Spam\" if they are covered by an exclusion above or do not have anything to do with Brave.\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-20T02:02:35.375Z"},{"id":3748235,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases. We generallly rate bugs based on how urgent it is for Brave to fix rather than following CVSS strictly. \n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the desktop, iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://account.brave.com/, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-16T17:24:00.869Z"},{"id":3741467,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* Attacks which require unusual Brave or system configurations (such as blocking network requests to Brave services or disabling recommended security features) are generally out-of-scope\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-08T18:19:35.916Z"},{"id":3740961,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* Reports involving the scanning of QR codes to open URLs directly in a browser, without any accompanying exploit or vulnerability, are considered out of scope\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-02T18:07:00.253Z"},{"id":3730776,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on hosts that are run by other companies. `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond. Bugs on `status.brave.com` should be reported to security@betterstack.com.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-24T16:08:04.601Z"},{"id":3726976,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software, brave.io. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-21T20:20:11.341Z"},{"id":3726975,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com. In general we care about security issues affecting these domains and their subdomains: brave.com, basicattentiontoken.org, bravesoftware.com, brave.software. However some pages may be out of scope if they are run by a third party or have no real security impact.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-21T20:15:08.472Z"},{"id":3726726,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Links and social media account takeovers on our websites, unless the link is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-19T00:24:12.852Z"},{"id":3726616,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`. However issues affecting the BAT contract are out of scope unless there is concrete proof that funds can be stolen using it.\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-17T17:17:02.791Z"},{"id":3725895,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* Network requests that don't go through Brave Shields or HTTPS Upgrades which are not in a webpage context will be considered on a case-by-case basis depending on impact.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-13T18:48:58.992Z"},{"id":3725863,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-13T14:03:19.078Z"},{"id":3725183,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 7 2024, we added policy details for AI safety.\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose resolved reports two weeks after shipping the release which contains the fix. For reports which were closed as Informative or N/A, we may not respond to your request for disclosure.\n* Issues related to AI models should be reported to ai-safety@brave.com and are usually out-of-scope for bounties. (See \"Exclusions\" section below.)\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\nIssues with AI models used in Brave are out of scope unless they have an additional directly verifiable security impact on an in-scope service. For issues in third-party models, please report them to the third-party provider (such as Anthropic in the case of Claude, used in Brave Leo). For issues with models that are maintained by Brave, such as the Brave Search AI, please send a report to ai-safety@brave.com.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-07T19:31:46.937Z"},{"id":3724571,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* Any transaction simulation bypasses that affect Blowfish are out of scope and should be reported directly to Blowfish via their responsible disclosure policy.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-01T00:51:52.515Z"},{"id":3713643,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On March 5 2023, we marked \t\nhttps://github.com/brave/brave-ios out of scope because iOS code is now in https://github.com/brave/brave-core.\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-05T17:10:24.766Z"},{"id":3710114,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* Account takeovers that have little to no impact, such as emails listed in package.json files.\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-03T02:59:43.624Z"},{"id":3690015,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* Hostname confusion due to '@' symbol in a URL.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-27T17:22:38.288Z"},{"id":3689335,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-14T17:27:59.259Z"},{"id":3678591,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-10-15T21:16:45.479Z"},{"id":3677109,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-07T23:22:49.869Z"},{"id":3677108,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-07T22:56:53.846Z"},{"id":3677107,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `survey-admin.brave.com` should be reported to hhttps://blocksurvey.io/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-07T22:55:18.216Z"},{"id":3674459,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-15T13:40:50.898Z"},{"id":3672434,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-07T09:50:49.634Z"},{"id":3672398,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* Denial-of-service and crash issues on our services are out-of-scope will be considered on a case-by-case basis but usually are out-of-scope unless serious.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-06T16:56:49.686Z"},{"id":3668402,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n* To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-23T15:05:24.344Z"},{"id":3663328,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-22T18:38:54.752Z"},{"id":3662850,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-09T21:14:38.833Z"},{"id":3660172,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Documents with public commenting/suggesting/reading permission that don't contain any private info\n* Reports without clear steps that allow us to reproduce the vulnerability\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-18T21:53:14.736Z"},{"id":3659639,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Path being displayed in 404 pages\n* Reports without clear steps that allow us to reproduce the vulnerability\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-06T17:35:58.254Z"},{"id":3658953,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.\n* Reports without clear steps that allow us to reproduce the vulnerability\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-28T07:42:14.506Z"},{"id":3658278,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.\n* Reports without clear steps that allow us to reproduce the vulnerability\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-14T17:09:43.548Z"},{"id":3658238,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports of scam sites in Brave Search result listings. These can still be reported here but won't be awarded.\n* Reports without clear steps that allow us to reproduce the vulnerability\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-13T17:55:54.917Z"},{"id":3655289,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports without clear steps that allow us to reproduce the vulnerability\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-07-20T21:33:13.155Z"},{"id":3654132,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://together.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* Reports without clear steps that allow us to reproduce the vulnerability\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-30T17:22:00.891Z"},{"id":3654066,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅   Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️  On May 17 2021, we added details about Brave Search\n- ℹ️  On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️  On March 2 2021, we added details about in-scope network connections.\n- ℹ️  On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️  On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️  On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️  On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️  On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️  On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️  On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️  On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵   Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨   Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.\n\n# ℹ️   Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅  In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting high-impact web services like https://search.brave.com, https://together.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌   Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️  The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned or operated by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that have little to no impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-29T15:51:49.374Z"},{"id":3652353,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On May 17 2021, we added details about Brave Search\n- ℹ️On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️On March 2 2021, we added details about in-scope network connections.\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting search.brave.com and subscriptions.bsg.brave.com. If you need access to the Brave Search beta for security testing purposes, please email security@brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-17T16:33:25.640Z"},{"id":3652352,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On May 17 2021, we added details about Brave Search\n- ℹ️On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️On March 2 2021, we added details about in-scope network connections.\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting search.brave.com and subscriptions.bsg.brave.com. If you need access to the Brave Search beta for security testing purposes, please email security@brave.com.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-17T16:30:25.025Z"},{"id":3651735,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️On March 2 2021, we added details about in-scope network connections.\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* Server metrics being exposed on /metrics endpoints\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-29T17:33:35.338Z"},{"id":3651413,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On April 23 2021, we added details about BAT fraud issues that are in-scope.\n- ℹ️On March 2 2021, we added details about in-scope network connections.\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-23T23:51:22.357Z"},{"id":3650631,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On March 2 2021, we added details about in-scope network connections.\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on `support.brave.com` should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on `store.brave.com` should be reported to https://www.originprotocol.com/, though we can help escalate if they do not respond.\n* Bugs on websites that are not owned by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-31T17:42:10.244Z"},{"id":3650570,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On March 2 2021, we added details about in-scope network connections.\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse.\n* Bugs on websites that are not owned by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-30T16:40:37.567Z"},{"id":3649383,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On March 2 2021, we added details about in-scope network connections.\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$300. Few of them are more than $500.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.\n* Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse.\n* Bugs on websites that are not owned by Brave.\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using an Incognito / Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-03T01:11:12.739Z"},{"id":3648916,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$200. Very few of them are more than $500.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using an Incognito / Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-19T17:57:37.324Z"},{"id":3642413,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using an Incognito / Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in any of our products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-14T23:21:19.963Z"},{"id":3640553,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Attacks that allow a website to detect whether a user is using an Incognito / Private Browsing window.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-27T22:58:28.658Z"},{"id":3635741,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-01T19:01:33.778Z"},{"id":3635297,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium or Firefox) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n* Email flooding attacks\n* We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-21T20:39:03.206Z"},{"id":3635129,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security issues in Brave Android Beta: https://play.google.com/store/apps/details?id=com.brave.browser_beta\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n- [Jira helpdesk which isn't ours](https://brave.atlassian.net)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-16T21:14:16.049Z"},{"id":3634243,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On Jan 29 2020, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security issues in Brave Android Beta: https://play.google.com/store/apps/details?id=com.brave.browser_beta\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n* DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-30T02:37:52.989Z"},{"id":3630849,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes what's changed in roughly the last six months. It's only a summary, though — the full policy is below the changelog.\n\n- ℹ️On Jan 29 2019, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security issues in Brave Android Beta: https://play.google.com/store/apps/details?id=com.brave.browser_beta\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-18T18:23:31.729Z"},{"id":3629456,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — August 21 2019\nThis section summarizes what's changed in roughly the last six months. It's only a summary, though — the full policy is below the changelog.\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ℹ️On Jan 29 2019, we added Brave Android Beta to in scope.\n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security issues in Brave Android Beta: https://play.google.com/store/apps/details?id=com.brave.browser_beta\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-29T18:11:44.498Z"},{"id":3622565,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — August 21 2019\nThis section summarizes what's changed in roughly the last six months. It's only a summary, though — the full policy is below the changelog.\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-30T17:59:51.286Z"},{"id":3622495,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — August 21 2019\nThis section summarizes what's changed in roughly the last six months. It's only a summary, though — the full policy is below the changelog.\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ℹ️On Oct 29 2019, we clarified exclusions for DoS bugs.\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource  exhaustion attacks to be security bugs.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-29T23:26:02.420Z"},{"id":3616905,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — August 21 2019\nThis section summarizes what's changed in roughly the last six months. It's only a summary, though — the full policy is below the changelog.\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n\n- ℹ️On August 21 2019, we noted that social media account takeovers on our websites are out of scope.\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n* Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-21T19:42:57.227Z"},{"id":3615623,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — April 23 2019\nThis section summarizes what's changed in roughly the last six months. It's only a summary, though — the full policy is below the changelog.\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical/local access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-06T00:20:26.731Z"},{"id":3608146,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — April 23 2019\nThis section summarizes what's changed in roughly the last six months. It's only a summary, though — the full policy is below the changelog.\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-04-23T18:18:34.609Z"},{"id":3608145,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nThis section summarizes what's been changed. The full policy is below the changelog.\nLast change — March 15 2019\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On August 28 2018, we restricted iOS reports to high-severity only as part of an ongoing codebase transition for that product.\n- ℹ️ On August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-04-23T18:08:57.923Z"},{"id":3605343,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — March 8 2019\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n\n- ℹ️On March 15 2019, we noted that non-default extensions are out of scope.\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On August 28 2018, we restricted iOS reports to high-severity only as part of an ongoing codebase transition for that product.\n- ℹ️ On August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n* Bugs in browser extensions which are not enabled/installed by default in Brave.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-15T20:03:29.614Z"},{"id":3604791,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — March 8 2019\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On August 28 2018, we restricted iOS reports to high-severity only as part of an ongoing codebase transition for that product.\n- ℹ️ On August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated or archived.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-08T20:50:42.887Z"},{"id":3604790,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — March 8 2019\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n\n- ℹ️On March 8 2019, we noted that Github wikis being publicly editable is out of scope.\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On August 28 2018, we restricted iOS reports to high-severity only as part of an ongoing codebase transition for that product.\n- ℹ️ On August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated; in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n* A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-08T20:50:00.181Z"},{"id":3603669,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — February 25 2019\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n\n- ℹ️On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On August 28 2018, we restricted iOS reports to high-severity only as part of an ongoing codebase transition for that product.\n- ℹ️ On August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated; in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-25T22:45:36.125Z"},{"id":3603667,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — February 25 2019\n\n- On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On August 28 2018, we restricted iOS reports to high-severity only as part of an ongoing codebase transition for that product.\n- ℹ️ On August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated; in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-25T22:44:41.458Z"},{"id":3602141,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — November 8 2018\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On August 28 2018, we restricted iOS reports to high-severity only as part of an ongoing codebase transition for that product.\n- ℹ️ On August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* ~$50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated; in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-05T21:34:58.404Z"},{"id":3602139,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — November 8 2018\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n\n- ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On August 28 2018, we restricted iOS reports to high-severity only as part of an ongoing codebase transition for that product.\n- ℹ️ On August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $25 — This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated; in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity. Chromium security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium fix.\n\n# ❌ Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\nIssues in Chromium are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope.\n\n## ⭕️The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-05T20:23:39.999Z"},{"id":3600282,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — November 8 2018\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n\n- ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On August 28 2018, we restricted iOS reports to high-severity only as part of an ongoing codebase transition for that product.\n- ℹ️ On August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $25 — This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave. It's not new: we really should have known about it. But we missed it, so thanks for telling us.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Privacy issues in any of our products, including outbound network connections to third-party services (like Google) in the background and not in response to a user action.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated; in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity.\n\n# ❌Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-11T19:59:49.405Z"},{"id":3596933,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — November 8 2018\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On August 28 2018, we restricted iOS reports to high-severity only as part of an ongoing codebase transition for that product.\n- ℹ️ On August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $25 — This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave. It's not new: we really should have known about it. But we missed it, so thanks for telling us.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is not deprecated; in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity.\n\n# ❌Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: Chromium) which are already reported to the upstream maintainer. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-04T22:19:33.402Z"},{"id":3594087,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — November 8 2018\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On August 28 2018, we restricted iOS reports to high-severity only as part of an ongoing codebase transition for that product.\n- ℹ️ On August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $25 — This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave. It's not new: we really should have known about it. But we missed it, so thanks for telling us.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity.\n\n# ❌Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-08T23:27:59.519Z"},{"id":3594059,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — November 8 2018\n\n- ⚠️ As of November 8 2018, we are no longer soliciting reports for our [legacy iOS codebase](https://github.com/brave/browser-ios/). Only issues which are reproducible on our [newer iOS revision](https://github.com/brave/brave-ios/) will be eligible for a bounty. \n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n\n- ℹ️ On November 8 2018, we added a new bounty tier for reports about already-public vulnerabilities — like CVEs for other platforms.\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On August 28 2018, we restricted iOS reports to high-severity only as part of an ongoing codebase transition for that product.\n- ℹ️ On August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $25 — This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave. It's not new: we really should have known about it. But we missed it, so thanks for telling us.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n* Public security issues for other browsers which also affect Brave (as long as we don't already know about them). Only moderate or worse issues are eligible. Public issues are only eligible for our $25 notification tier, rather than by severity.\n\n# ❌Exclusions\n## The following products are out of scope:\n- All [LinkBubble](https://github.com/brave/link-bubble) products\n- [The legacy Muon-based version of Brave](https://github.com/brave/browser-laptop)\n- [The Muon desktop framework](https://github.com/brave/muon)\n- [Our legacy iOS codebase](https://github.com/brave/browser-ios)\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know about. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-08T18:49:22.151Z"},{"id":3592364,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — October 23 2018\n\n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n- ⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On of August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n* Extremely exclusive custom Brave hacker swag is available on request for reports of extremely bad problems.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n\n# ❌Exclusions\n## The following products are out of scope:\n- All LinkBubble products\n- The legacy Muon-based version of Brave\n- The Muon desktop framework\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-23T18:47:06.191Z"},{"id":3592361,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — October 23 2018\n\n- ⚠️ As of October 23 2018, the [Muon-based Brave](https://github.com/brave/browser-laptop) and the [Muon framework itself](https://github.com/brave/muon) are *no longer part of this program*. These products are at the end of their life, and have been replaced by the [Chromium-based Brave](https://github.com/brave/brave-browser).\n- ⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n\n- ℹ️ On October 23 2018, we clarified the best ways to contact our team outside of HackerOne.\n- ℹ️ On October 22 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n-  ℹ️ On of October 5 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only paying bounties for critical-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ℹ️ On of August 1 2018, as part of the shift from a Muon-centered codebase to our Chromium-centered codebase, we began only soliciting high-severity reports regarding our primary Muon-based desktop browser and the Muon framework.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them. Custom hacker swag available upon request.\n\nMost of the bounties we award are $50-$150. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n* We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and @mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email \u003csecurity@brave.com\u003e. We would prefer that you not personally message Brave team members on other platforms or channels.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n\n# ❌Exclusions\n## The following products are out of scope:\n- All LinkBubble products\n- The legacy Muon-based version of Brave\n- The Muon desktop framework\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-23T18:37:41.926Z"},{"id":3592257,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — October 22 2018\n\n- ⚠️ As of October 5 2018, we are **only paying bounties for *critical-severity* reports** regarding our primary Muon-based desktop browser: https://github.com/brave/browser-laptop. This is because we are deprecating this codebase in favor of https://github.com/brave/brave-browser. \n- ⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n- ⚠️ As of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\n- ℹ️ On October 22, 2018, we clarified our preferred public disclosure timeline (2 weeks after we ship a fix).\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them. Custom hacker swag available upon request.\n\nMost of the bounties we award are $50. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n* We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix. \n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n\n# ❌Exclusions\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-22T19:45:55.484Z"},{"id":3590607,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — October 5 2018\n\n- ⚠️ As of October 5 2018, we are **only paying bounties for *critical-severity* reports** regarding our primary Muon-based desktop browser: https://github.com/brave/browser-laptop. This is because we are deprecating this codebase in favor of https://github.com/brave/brave-browser. \n- ⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n- ⚠️ As of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them. Custom hacker swag available upon request.\n\nMost of the bounties we award are $50. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n\n# ❌Exclusions\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-04T23:09:53.953Z"},{"id":3590606,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — September 11 2018\n\n- ⚠️ As of October 5 2018, we are **only paying bounties for *critical-severity* reports** regarding our primary Muon-based desktop browser: https://github.com/brave/browser-laptop. This is because we are deprecating this codebase in favor of https://github.com/brave/brave-browser. \n- ⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n- ⚠️ As of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them. Custom hacker swag available upon request.\n\nMost of the bounties we award are $50. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n\n# ❌Exclusions\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-04T23:08:59.613Z"},{"id":3590098,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — September 11 2018\n\n- ⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n- ⚠️ As of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\n- ℹ️ On September 27 2018, we decided to start offering custom hacker swag for particularly-severe reports.\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them. Custom hacker swag available upon request.\n\nMost of the bounties we award are $50. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n\n# ❌Exclusions\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-28T17:45:35.458Z"},{"id":3589459,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — September 11 2018\n\n- ⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n- ⚠️ As of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them. Custom hacker swag available upon request.\n\nMost of the bounties we award are $50. Very few of them are more than $250.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n\n# ❌Exclusions\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-21T19:18:43.706Z"},{"id":3589458,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — September 11 2018\n\n- ⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n- ⚠️ As of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Custom hacker swag available upon request.\n* ≤$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them. Custom hacker swag available upon request.\n\nMost of the bounties we award are $50. Very few of them are more than $250. The sweet spot for this program is $100-$250 — that's where we'd like to see most of the reports we work on.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n\n# ❌Exclusions\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-21T19:06:46.460Z"},{"id":3588485,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — September 11 2018\n\n- ⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n- ⚠️ As of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release.\n* ≤$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50. Very few of them are more than $250. The sweet spot for this program is $100-$250 — that's where we'd like to see most of the reports we work on.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID `5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B` (available in the public keyserver pool).\n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: `0x0d8775f648430679a709e98d2b0cb6250d2887ef`, `0x44fcfabfbe32024a01b778c025d70498382cced0`, `0x7c31560552170ce96c4a7b018e93cddc19dc61b6`, `0xfbfa258b9028c7d4fc52ce28031469214d10daeb`, `0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b`\n\n# ❌Exclusions\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on `[*.]brave.com` are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on `community.brave.com` or `forum.batcommunity.org` should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-12T00:01:23.335Z"},{"id":3588480,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — September 11 2018\n\n- ⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n- ⚠️ As of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\n- ℹ️ On September 11 2018, we clarified that issues with Brave sites run by Discourse.org should be reported directly to them — though this really goes for all hosted sites and upstream dependencies.\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release.\n* ≤$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50. Very few of them are more than $250. The sweet spot for this program is $100-$250 — that's where we'd like to see most of the reports we work on.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# ❌Exclusions\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on community.brave.com or forum.batcommunity.org should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-11T23:57:21.755Z"},{"id":3588478,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — September 4 2018\n\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n- ⚠️ As of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release.\n* ≤$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50. Very few of them are more than $250. The sweet spot for this program is $100-$250 — that's where we'd like to see most of the reports we work on.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# ❌Exclusions\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* In particular, bugs on community.brave.com or forum.batcommunity.org should be reported to Discourse, not Brave: https://hackerone.com/discourse\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-11T23:54:30.856Z"},{"id":3587855,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# 📅 Recent Changes\nLast change — September 4 2018\n\n- ℹ️ On September 4 2018, we clarified that the output of an analysis tool doesn't constitute a report on its own. Human engagement and context are required — or a working PoC.\n- ⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n- ⚠️ As of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release.\n* ≤$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50. Very few of them are more than $250. The sweet spot for this program is $100-$250 — that's where we'd like to see most of the reports we work on.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# ℹ️ Program notes\n* The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.\n* We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# ❌Exclusions\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n## While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-04T22:23:53.605Z"},{"id":3587146,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\nWe prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# 📅 Recent Changes\nLast change — August 28 2018\n\n⚠️ As of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\n⚠️ As of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n\n# 💵 Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release.\n* ≤$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50. Very few of them are more than $250. The sweet spot for this program is $100-$250 — that's where we'd like to see most of the reports we work on.\n\n# 👁‍🗨 Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# ✅ In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# ❌Exclusions\n## The following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\n##While researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-28T19:37:22.823Z"},{"id":3587145,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\nWe prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# Recent Changes\nLast change — August 28 2018\n\nAs of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\nAs of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n\n# Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release.\n* ≤$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50. Very few of them are more than $250. The sweet spot for this program is $100-$250 — that's where we'd like to see most of the reports we work on.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-28T19:32:13.187Z"},{"id":3587144,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\nAs of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\nAs of August 28 2018, we are **only soliciting *high-severity* reports** regarding our mobile browser for iOS. As with our desktop browser, we are currently shifting codebases in this product. When the newer codebase is released, it will become the focus of the bounty program.\n\nWe prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release.\n* ≤$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50. Very few of them are more than $250. The sweet spot for this program is $100-$250 — that's where we'd like to see most of the reports we work on.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-28T19:29:53.405Z"},{"id":3584448,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\nAs of August 1 2018, we are **only soliciting *high-severity* reports** regarding our primary Muon-based desktop browser. This is part of a shift from a Muon-centered codebase to our Chromium-centered codebase. As the Chromium-centered codebase becomes more mature, it will become the focus of the bounty program.\n\nWe prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release.\n* ≤$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50. Very few of them are more than $250. The sweet spot for this program is $100-$250 — that's where we'd like to see most of the reports we work on.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-03T00:12:27.913Z"},{"id":3582483,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\nWe prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# Bounty Schedule\nThis is *approximately* how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release.\n* ≤$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50. Very few of them are more than $250. The sweet spot for this program is $100-$250 — that's where we'd like to see most of the reports we work on.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-12T21:51:30.739Z"},{"id":3582482,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\nWe prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\nThis is approximately how much we pay for reports. Understand that this is only a guide meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* ≤$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* ≤$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release.\n* ≤$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50. Very few of them are more than $250. The sweet spot for this program is $100-$250 — that's where we'd like to see most of the reports we work on.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-12T21:45:42.916Z"},{"id":3582320,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\nWe prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\nThis is approximately how much we pay for reports. Understand that this is only a guide meant to help set expectations.\n* \"not applicable\" — Reports about things that we have specifically noted as out of scope.\n* \"informative\" — We're aware of this, or we don't really see it as a security issue.\n* $50 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.\n* \u003c$100 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.\n* \u003c$250 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release.\n* \u003c$500 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.\n\nMost of the bounties we award are $50. Very few of them are more than $250. The sweet spot for this program is $100-$250: that's where we'd like to see the largest number of valid reports.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-11T23:37:51.096Z"},{"id":3582305,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\nWe prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-11T21:24:12.428Z"},{"id":3582281,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\nWe prefer it when hacker file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-11T19:56:07.170Z"},{"id":3575246,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-04-30T23:18:35.877Z"},{"id":3572816,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-04-02T19:28:40.533Z"},{"id":3561262,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues in any repo owned by https://github.com/brave-intl (not forked); in particular, bat-publisher, bat-client, bat-balance, and bat-ledger.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-04T18:25:30.026Z"},{"id":3559689,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis.\n* Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-28T22:48:34.670Z"},{"id":3558299,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n* Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis. Bypass of an existing fingerprinting defense, however, is valid.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-26T19:40:22.468Z"},{"id":3545286,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis. Bypass of an existing fingerprinting defense, however, is valid.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). Unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-01-20T00:09:03.813Z"},{"id":3541757,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis. Bypass of an existing fingerprinting defense, however, is valid.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n* Denial-of-service and crash issues in Brave browser are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab).\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-11-15T00:35:48.083Z"},{"id":3541619,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android (excluding LinkBubble). Packages are available at https://brave.com/downloads.html.\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis. Bypass of an existing fingerprinting defense, however, is valid.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n* Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-11-10T23:18:23.382Z"},{"id":3540798,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android. Packages are available at https://brave.com/downloads.html.\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis. Bypass of an existing fingerprinting defense, however, is valid.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-25T18:43:32.913Z"},{"id":3540325,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n* We only accept reports from accounts with a signal score of \u003e1.0. If you do not meet this qualification, please email support@brave.com with your HackerOne username.\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android. Packages are available at https://brave.com/downloads.html.\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, unless they are highly severe and warrant an immediate fix. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis. Bypass of an existing fingerprinting defense, however, is valid.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-14T17:41:25.418Z"},{"id":3540304,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n* We only accept reports from accounts with a signal score of \u003e1.0. If you do not meet this qualification, please email support@brave.com with your HackerOne username.\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android. Packages are available at https://brave.com/downloads.html.\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, but will be considered on a case-by-case basis. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis. Bypass of an existing fingerprinting defense, however, is valid.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-13T20:51:13.252Z"},{"id":3540225,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# In-scope\n* Security issues in any current release of the Brave browser. This includes desktop, iOS, and Android. Packages are available at https://brave.com/downloads.html.\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Bugs on [*.]brave.com are generally out-of-scope, but will be considered on a case-by-case basis. Due to a high volume of reports, we may not respond to issues related to the website.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis. Bypass of an existing fingerprinting defense, however, is valid.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Issues that do not have any impact on the general public\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-12T18:21:18.854Z"},{"id":3540208,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis. Bypass of an existing fingerprinting defense, however, is valid.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities\n* Missing security best practices that do not directly lead to a vulnerability\n* Website vulnerabilities on domains other than [*.]brave.com\n* Issues that do not have any impact on the general public\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-12T12:12:57.578Z"},{"id":3540195,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis. Bypass of an existing fingerprinting defense, however, is valid.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities in brave.com\n* Missing security best practices that do not directly lead to a vulnerability\n* Website vulnerabilities on domains other than [*.]brave.com\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-12T03:25:28.355Z"},{"id":3540194,"new_policy":"Brave Software believes that working with security researchers across the globe is crucial in making the web safer If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis. Bypass of an existing fingerprinting defense, however, is valid.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities in brave.com\n* Missing security best practices that do not directly lead to a vulnerability\n* Website vulnerabilities on domains other than [*.]brave.com\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-12T03:25:08.013Z"},{"id":3540193,"new_policy":"No technology is perfect, and Brave Software believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* If you would like to encrypt your report, please use the PGP key with long ID 5273 5B5A AAFA F9B1 B40A  7222 6B64 A862 A4C7 8E4B (available in the public keyserver pool).\n\n# Exclusions\nThe following bug classes are out-of scope:\n* Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave), or that we already know of. Note that some of our issue trackers are private.\n* Issues in an upstream software dependency (ex: libchromiumcontent, Electron) which are already reported to the upstream maintainer.\n* Login/logout CSRF\n* Attacks requiring physical access to a user's device.\n* New browser fingerprinting attacks are generally out-of-scope but will be considered on a case-by-case basis. Bypass of an existing fingerprinting defense, however, is valid.\n* Self-XSS\n* Issues related to software or protocols not under Brave's control\n* Vulnerabilities in outdated versions of Brave\n* Redirect continuation URL vulnerabilities in brave.com\n* Missing security best practices that do not directly lead to a vulnerability\n* Website vulnerabilities on domains other than [*.]brave.com\n\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Brave Software staff or contractors\n* Any physical attempts against Brave Software property or data centers\n\nThank you for helping keep Brave Software and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-12T03:16:50.287Z"}]