-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Security reviews
Francois Marier edited this page Jun 22, 2021
·
21 revisions
If a code change (pull request, commit, etc.) satisfies ANY of the following, it requires a security review before it can be merged:
- It is a feature important enough that there has been at least one meeting about it.
- It modifies or adds network requests.
- It is related to money/BAT.
- It involves cryptography, including anything which generates a random number, a random series of bytes, or the like.
- It adds new dependencies (e.g. Docker images), integrations, or plugins.
- It is related to sensitive user information such as cookies, passwords, and private browsing data.
- It changes the amount of data collected by Brave or one of its partners — including making any logs which may be sent to Brave or a third party.
- It adds a new extension to the list of extensions which Brave doesn't warn before installing.
- It changes any security/privacy messaging in our products (warning messages, security icons, etc.).
- It adds a new channel or modifies an existing channel for distributing software produced by Brave, including software updates.
If you are not sure whether you need a security review, you should probably ask for one just to play it safe.
Security reviews can be filed by staff here: https://github.com/brave/security/issues
Outside contributors should ask a staff to file a security issue for them if needed.