Skip to main contentBrave takes our customers’ security and privacy very seriously.
As an API provider for some of the biggest names in tech, we’ve
passed numerous vendor audits and are always happy to answer security
questions from potential customers.
Internal process
Internally, we require security and privacy reviews from our dedicated
security and privacy teams, both during the design phase and
implementation phase of new features, as well as for new vendor
requests and certain bug fixes. A member of the security and privacy
teams must sign off on any changes or specs that warrant review.
github.com/brave/brave-browser/wiki/Security-reviews
outlines the types of changes which explicitly require security
sign-off. In addition, we often require threat modeling as part
of specification design, usually as a “Security and Privacy Considerations”
section in the spec.
Bug bounty program
Brave highly prioritizes responsiveness to external security reports.
We have an extremely active bug bounty program at
hackerone.com/brave; as of October 2024,
our average time to triage is about 10 hours and average time to
resolution is about 4 days. We also solicit security reports at
security@brave.com. We contracted an
external penetration test of Brave Search (prior to development of the API)
via a HackerOne Challenge
in May 2021; 2 high severity and 1 medium severity were reported
and fixed promptly. In addition, Brave Search API’s last external penetration
test was completed in April 2025, and we are in the process of being certified
for SOC 2 (proof can be provided upon request to customers).
Compliance
Our Data Protection Officer (DPO) advises on our compliance
with data protection and privacy laws such as the EU’s General
Data Protection Regulation (GDPR) and ePrivacy Directive, and
the California Consumer Privacy Act (CCPA) and California
Privacy Rights Act (CPRA). They also participate in security
and privacy reviews, handle
Right to Be Forgotten
(RTFB) requests, and ensure our
privacy policy is up
to date. Brave adopts a baseline standard to data protection based on
common data protection principles but we adapt our approach where
necessary and appropriate for specific jurisdictions and rules.
Compliance, as with all organizations subject to data protection
law, is an ongoing process and considered within the security and
privacy review process established within Brave. ISO standards
such as 27001 and 27701 provide guidance for establishing,
implementing, maintaining and continuously improving our approach
to information security and privacy information management.
Malicious content
Brave takes the utmost care in preventing malicious content from
persisting in the search index and addresses feedback
in a timely manner. For example:
- Not all URLs we know about (
>100B) make it into the index (20B+).
We only index pages visited by
real people (determined via privacy preserving techniques), linked from
multiple pages in the index (reputation transfer), and from curated
RSS feeds.
- We use real-time blacklists for phishing and malware, similar to
Safe Browsing
- We do active scans for child sexual abuse material (CSAM),
both internally and using a paid 3rd party
(ActiveFence) and block such content.
- We acknowledge and consider RTBF requests from individuals
wherever they are located (not just from the EU) after our DPO’s
internal assessment for justification.
Resources
We have a business continuity plan available upon request and
regularly perform backups.
Brave grants access to resources under the principle of least
privilege. Access requests are subject to security/privacy
reviews and promptly revoked upon termination. Note that all Brave
staff and contractors are bound by a confidentiality policy.
We enable SSO and non-SMS MFA when possible for our employees.
The Brave Search API dashboard also supports login via non-SMS MFA.
Our production deployment and access control policies are available
upon request.
Third-party services and dependencies are subject to security
and privacy review upon initialization. We use a combination of
Dependabot and Socket.dev for automated third party dependency
security scanning whenever a dependency changes or a new
vulnerability is released.
Our security incident handling policy is available upon request.
Security events in Search products are monitored by the Search
SecOps team. We will promptly notify affected customers and the
relevant regulatory authorities if we experience a data breach
according to our obligations and risks to individuals.
For more info, please contact privacy@brave.com
for privacy and data protection inquiries or security@brave.com
for security inquiries. 
