Patch + ship
A security release goes out as soon as the fix lands.
Security
Report a vulnerability GitHub Security Advisory: private, preferred channel for anything sensitive.
Acknowledgement target: 7 days.
Patch target: depends on severity.
In scope
Section titled “In scope”Anything that lets an attacker:
- Read or exfiltrate data outside the agent’s sandbox (
~/.browy/data/) - Execute arbitrary code on the user’s machine via prompt injection past whatever tools the user has enabled in Settings
- Persist state on the user’s machine that survives uninstall
- Connect to a host other than the locally-registered native messaging host
Out of scope
Section titled “Out of scope”Issues in third-party software Browy depends on (Chrome, Node.js, the GitHub Copilot CLI), please report those upstream.
What we do
Section titled “What we do”Add a regression test
If the issue is reproducible, it gets a test so it can’t come back.
Credit the reporter
Acknowledged in the changelog (with permission).
Backport if severe
If the previous minor is still in wide use and the issue is severe, we backport.
Defense-in-depth notes
Section titled “Defense-in-depth notes”For users:
Review what's enabled
Settings → Tools is the source of truth for which browser tools
the agent can call. Turn off evaluate_js or screenshot for
stricter setups.
Host tools are off by default
bash, read_file, write_file, grep, glob, and web_fetch
reach your machine, not the browser tab. Opt in per-tool under
Settings → Tools → host (advanced) when you need them.
Don't run untrusted JavaScript
Don’t ask the agent to evaluate code (via evaluate_js or
run_script) from a source you don’t trust.
Watch the debugging banner
The “Browy started debugging…” banner means a session is live. Disconnect if you didn’t expect it.