Brave Search API Security Info

Brave takes our customers’ security and privacy very seriously. As an API provider for some of the biggest names in tech, we’ve passed numerous vendor audits and are always happy to answer security questions from potential customers.

Internally, we require security and privacy reviews from our dedicated security and privacy teams, both during the design phase and implementation phase of new features, as well as for new vendor requests and certain bug fixes. A member of the security and privacy teams must sign off on any changes or specs that warrant review. github.com/brave/brave-browser/wiki/Security-reviews outlines the types of changes which explicitly require security sign-off. In addition, we often require threat modeling as part of specification design, usually as a “Security and Privacy Considerations” section in the spec.

Brave highly prioritizes responsiveness to external security reports. We have an extremely active bug bounty program at hackerone.com/brave; as of October 2024, our average time to triage is about 10 hours and average time to resolution is about 4 days. We also solicit security reports at security@brave.com. The last external report we received regarding the Search API was a captcha bypass on January 31 2024, and it was fixed by February 5 2024. In addition, we contracted an external penetration test of Brave Search (prior to development of the API) via a HackerOne Challenge in May 2021; 2 high severity and 1 medium severity were reported and fixed promptly.

Our in-house Data Protection Officer (DPO) advises on our compliance with data protection and privacy laws such as the EU’s General Data Protection Regulation (GDPR) and ePrivacy Directive, and the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). They also participate in security and privacy reviews, handle Right to Be Forgotten (RTFB) requests, and ensure our privacy policy is up to date. Brave adopts a baseline standard to data protection based on common data protection principles but we adapt our approach where necessary and appropriate for specific jurisdictions and rules. Compliance, as with all organizations subject to data protection law, is an ongoing process and considered within the security and privacy review process established within Brave. ISO standards such as 27001 and 27701 provide guidance for establishing, implementing, maintaining and continuously improving our approach to information security and privacy information management.

Brave takes the utmost care in preventing malicious content from persisting in the search index and addresses feedback in a timely manner. For example:

  • Not all URLs we know about (>100B) make it into the index (20B+). We only index pages visited by real people (determined via privacy preserving techniques), linked from multiple pages in the index (reputation transfer), and from curated RSS feeds.
  • We use real-time blacklists for phishing and malware, similar to Safe Browsing
  • We do active scans for child sexual abuse material (CSAM), both internally and using a paid 3rd party (ActiveFence) and block such content.
  • We acknowledge and consider RTBF requests from individuals wherever they are located (not just from the EU) after our DPO’s internal assessment for justification.

We have a business continuity plan available upon request and regularly perform backups.

Brave grants access to resources under the principle of least privilege. Access requests are subject to security/privacy reviews and promptly revoked upon termination. Note that all Brave staff and contractors are bound by a confidentiality policy. We enable SSO and non-SMS MFA when possible for our employees. The Brave Search API dashboard also supports login via non-SMS MFA. Our production deployment and access control policies are available upon request.

Third-party services and dependencies are subject to security and privacy review upon initialization. We use a combination of Dependabot and Socket.dev for automated third party dependency security scanning whenever a dependency changes or a new vulnerability is released.

Our security incident handling policy is available upon request. Security events in Search products are monitored by the Search SecOps team. We will promptly notify affected customers and the relevant regulatory authorities if we experience a data breach according to our obligations and risks to individuals.

For more info, please contact privacy@brave.com for privacy and data protection inquiries or security@brave.com for security inquiries.