Security

The Browser Company Bounty Program

At The Browser Company of New York, we care deeply about safeguarding the security and privacy of everyone who uses our products. We also recognize the security research community’s invaluable role in this mission. If you spot a vulnerability, we want to hear about it so we can make things right as soon as possible. Your work helps us build a safer, more secure browsing experience for all.

Our Bug Bounty Program is ran through HackerOne. Please visit our HackerOne program page to review our program policy, scope, and to submit your findings.

How to Submit your Research

If you believe you’ve identified a security or privacy issue that affects BCNY products, services, or software, please submit it to us through our HackerOne program.

Keeping Dia Secure

Your browser is your doorway to the internet—work, personal life, and everything in between. Keeping that doorway secure is core to how we design, build, and ship Dia.

We’re a focused team that treats security as a product feature, not an afterthought. Our goal is simple: you shouldn’t have to worry that your data is being misused, mishandled, or sold.

To make that concrete, here’s what we do and how we think about it:

Outside security assessments

We work with independent security firms to run regular audits of our products. Each year, we conduct full‑scope assessments and schedule point‑in‑time reviews for new or high‑risk features. These engagements include code reviews, architecture analysis, and exploit testing. When appropriate, we publish notable findings and fixes in our Security Bulletins.

Browser engine
Dia is built on Chromium—the same open‑source engine behind Chrome and Edge—so we inherit a battle‑tested foundation and the latest upstream security patches. We prioritize upgrades and keep Dia aligned with the newest Chromium releases and hotfixes on an aggressive cadence.

List of Disabled Chromium Features

  • Google Accounts Integration (GAIA) disabled
    • Chromium won’t send requests for accounts on startup to accounts.google.com
    • No syncing of Chromium profiles, cookies, passwords, bookmarks to Google via your Google account
  • Google metrics (UMA) reporting is disabled
  • Uploading settings after resetting profile is disabled
  • Reporting Observers and Reporting API are disabled
  • Network logging to file is disabled

Infrastructure
We restrict production access by role, log and review access regularly, and encrypt data at rest and in transit. We store as little personal data as possible, and we routinely audit what we collect to ensure it stays minimal and appropriate for the service.

How to reach us
If you have questions or see something we should look at, email [email protected]. If you’re a security researcher, our bug bounty program welcomes your reports

Security Bulletin

Introducing our Security Bulletin