Radbrow Vulnerability Disclosure Policy
Last updated: 2026-07-04
Radbrow is a web browser for iOS built on an alternative (non-WebKit) browser
engine. We take the security of the people who use it seriously, and we welcome
reports from security researchers and other third parties. This policy explains
how to report a vulnerability to us and what you can expect in return.
Scope
This policy covers the Radbrow browser application, its browser engine, and
the services that directly support them. Reports about third-party services we
do not operate are out of scope, though we are grateful to be told about them.
How to report
Email [email protected].
Please include enough detail for us to reproduce and assess the issue:
- A description of the vulnerability and its potential impact.
- The affected component and version (or commit, or build) where known.
- Step-by-step reproduction instructions, including any proof-of-concept
code, URLs, or sample inputs.
- The device model and OS version you observed it on, if relevant.
- How you would like to be credited, if you would like credit.
If you need to share sensitive material, say so in your first email and we
will arrange a secure channel.
What you can expect from us
- Acknowledgement within 3 business days of your report.
- An initial assessment (whether we can reproduce it and our
view of severity) within 14 days.
- Status updates at least every 14 days until
the report is resolved or closed, and a notification when it is.
- Credit for your discovery when a fix ships, if you would like it and unless
you ask us not to.
Our commitments
- We prioritise mitigating vulnerabilities that are being actively
exploited in released software over new feature development. We aim
to resolve straightforward classes of actively exploited vulnerabilities
within 30 days; some issues are more complex and may take
longer, and we will keep you informed when they do.
- We monitor our software supply chain — including the upstream browser
engine and its dependencies — for vulnerabilities and update affected
components.
- When a fix ships, we record the resolved issue on our published CVE page:
https://radbrow.radish.build/cves.
Safe harbour
If you make a good-faith effort to comply with this policy while researching
and reporting a vulnerability, we will not pursue or support legal action
against you for that research. Please avoid privacy violations, degradation of
service, and destruction or exfiltration of data beyond the minimum necessary to
demonstrate a vulnerability, and give us a reasonable opportunity to resolve the
issue before disclosing it publicly.
Contact
Security reports: [email protected]