Browzer

Security

Bug Bounty Program

We take security seriously. If you've found a vulnerability in Browzer, we want to hear from you. We welcome responsible disclosure from the security research community and are committed to working with you to resolve issues quickly.

Last updated: March 2026

Program Scope

The following assets are in scope for our bug bounty program:

In Scope

  • trybrowzer.com — Web application and all subdomains
  • Browzer Chrome Extension — Published on the Chrome Web Store
  • Browzer Desktop App — macOS and Windows builds
  • Browzer API — Backend services and endpoints

Out of Scope

  • ×Social engineering, phishing, or physical attacks
  • ×Denial of service (DoS/DDoS) attacks
  • ×Automated scanning or brute-force attacks against production systems
  • ×Third-party services and integrations we do not control
  • ×Reports from automated vulnerability scanners without a demonstrated proof of concept
  • ×Issues related to rate limiting, missing security headers with no demonstrated impact, or clickjacking on pages with no sensitive actions

Qualifying Vulnerabilities

We are particularly interested in the following types of vulnerabilities:

  • Remote code execution (RCE)
  • SQL injection, NoSQL injection, or other injection attacks
  • Authentication or authorization bypass
  • Cross-site scripting (XSS) with demonstrated impact
  • Cross-site request forgery (CSRF) on sensitive actions
  • Insecure direct object references (IDOR) leading to unauthorized data access
  • Server-side request forgery (SSRF)
  • Privilege escalation between user roles or organizations
  • Sensitive data exposure (credentials, tokens, PII leakage)

How to Report

If you believe you have found a security vulnerability, please report it to us responsibly:

Email

Send your report to contact@trybrowzer.com

Please include the following in your report:

  1. 1.A detailed description of the vulnerability and its potential impact
  2. 2.Step-by-step instructions to reproduce the issue
  3. 3.Proof of concept (screenshots, videos, or code snippets)
  4. 4.The affected asset (URL, endpoint, app version)
  5. 5.Your suggested severity rating (Critical, High, Medium, Low)

Rewards

We reward valid, unique reports based on severity and impact. Reward amounts are determined at our discretion and depend on the quality of the report and the criticality of the issue.

SeverityReward Range
Critical$250 – $1,000
High$100 – $250
Medium$50 – $100
LowRecognition on our Security Hall of Fame

In addition to monetary rewards, all valid reporters will be credited in our Security Hall of Fame (with your permission).

Rules of Engagement

To participate in our bug bounty program, you must agree to the following:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform any attack that could harm the availability or integrity of our services
  • Only test against accounts you own or have explicit permission to test
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to fix it (90-day disclosure deadline)
  • Provide a reasonable amount of time for us to respond before taking any further action
  • Act in good faith to avoid privacy violations, data destruction, and service disruption

Safe Harbor

Browzer Labs, Inc. pledges the following to security researchers who participate in our bug bounty program in good faith:

We consider security research conducted consistent with this policy to be authorized, and we will not initiate or recommend legal action against you for your research. If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will make reasonable efforts to make it known that your actions were authorized by us.

We will not bring a civil action or initiate a complaint to law enforcement for accidental, good-faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct. To the extent that your activities are inconsistent with certain restrictions in our terms of service, we waive those restrictions for the limited purpose of your security research under this program.

Response Timeline

We are committed to responding to security reports promptly:

  • Acknowledgement: within 2 business days
  • Triage and severity assessment: within 5 business days
  • Resolution target: within 30 days for critical issues, 90 days for others
  • Reward payment: within 30 days of resolution

Contact

For all security-related inquiries, please email contact@trybrowzer.com. For general questions about Browzer, visit our contact page.