The BubblesTheDev Web Browser project takes security seriously. This document explains how to report security issues and how confirmed vulnerabilities are handled.
Security fixes are generally provided for the most recent stable release of the browser.
| Version | Supported |
|---|---|
| 1.1.33 | Yes |
| Older versions | No |
Users should run the latest available version of the browser to receive the newest security fixes and improvements.
If you discover a security vulnerability, please report it privately.
Do not open a public GitHub issue for security reports.
Report vulnerabilities through a private project security contact method.
Please include:
- a clear description of the issue
- steps to reproduce the problem
- the affected browser version
- operating system details
- screenshots, logs, or proof of concept if available
Please do not include sensitive personal information in a report. Do not send passwords, session tokens, recovery codes, payment information, government identifiers, or full personal documents. If screenshots or logs are necessary, redact private data before sending them.
The more detail included in the report, the faster the issue can usually be validated and addressed.
When a report is received, the general process is:
- Acknowledge the report
- Investigate and validate the issue
- Prepare a fix if needed
- Release a security update when appropriate
- Share public disclosure details after a fix is available
Response times can vary depending on severity, complexity, and reproducibility, but confirmed issues are handled as responsibly and as quickly as possible.
Security reports are handled through a private workflow rather than public issue discussion.
That workflow is intended to:
- reduce unnecessary exposure while a fix is being prepared
- keep reproduction details limited to the people working the issue
- avoid publishing exploit details before affected users have a chance to update
- move to public disclosure only after remediation work is available or the risk has been otherwise addressed
Security researchers are asked to:
- allow reasonable time for investigation and remediation
- avoid public disclosure before a fix is available
- provide enough technical detail to help reproduce the issue
Responsible disclosure helps protect users while fixes are being prepared.
This policy applies to:
- the browser application
- installer packages
- official project repositories
Third-party components such as Electron, Chromium, and Node.js follow their own security policies and release cycles.
The project depends on upstream open-source software, including:
- Electron
- Chromium
- Node.js
Security fixes in these dependencies may require updating the browser to newer upstream versions. Keeping dependencies current is an important part of maintaining the browser's security posture.
The browser is developed with a reduced-surface approach that emphasizes:
- minimal background services
- no built-in telemetry frameworks
- local-first data storage
- reliance on Chromium sandboxing and process isolation where applicable
- strict renderer isolation with
contextIsolationenabled andnodeIntegrationdisabled - main-process ownership of higher-risk operations such as downloader execution and performance-policy control
Current security-sensitive design points in version 1.1.33 include:
- sandboxed renderer processes and strict preload IPC boundaries
- isolated persistent streaming-service partitions for supported providers such as Disney+, Hulu, Max, Netflix, Paramount+, Prime Video, Apple TV+, AMC+, Peacock, Crunchyroll, YouTube TV, Sling TV, Pluto TV, The Roku Channel, Plex, Discovery+, ESPN+, MGM+, STARZ, and Tubi
- hardened streaming BrowserView and popup windows using
contextIsolation,sandbox, disablednodeIntegration, disabledenableRemoteModule, blocked insecure content, and no general-purpose preload bridge - per-service navigation allowlists that block untrusted redirects and unsafe schemes such as
data:,file:,chrome:, andjavascript: - streaming permission lockdown that denies camera, microphone, geolocation, notifications, MIDI, and clipboard-read access while allowing only safe playback-oriented cases
- download blocking and file-access blocking inside isolated streaming sessions
- popup abuse controls that restrict streaming login popups to one live popup per service with cooldown protection
- Windows-native download protection using Windows Security Center detection, Windows Attachment Services handoff, Mark of the Web tagging, Authenticode checks, and Windows Defender fallback scanning
- hardened Music Downloader execution limited to approved YouTube single-video audio flows with bundled-binary integrity verification
- updated bundled
ffmpeg.exeandffprobe.exehandling with pinned SHA-256 verification before use - controlled YouTube URL normalization that accepts certain auto-added single-video watch-page radio parameters without enabling playlist or bulk download behavior
- Windows-safe gaming and streaming optimization that avoids game hooking, code injection, kernel drivers, or anti-cheat interference
- isolated local AI worker execution with startup integrity checks, authorized bootstrap validation, operation allowlisting, and timeout watchdog protection
- profile-isolated AI memory with encrypted persistence for standard profiles, non-persistent in-memory handling for incognito sessions, and stronger path, quota, and corruption-recovery safeguards
- local-only diagnostics generation and encrypted diagnostics export
- privacy-safe diagnostics that remain disabled by default, use stricter allowlisted payload validation, support preview before send, and submit only through privileged browser-side services when the user enables reporting
- stricter renderer-to-main IPC validation, stronger popup and opener isolation, and tighter internal-page content security rules
- local AI worker trust manifests, approved-model path restrictions, request-size limits, and repeated-failure watchdog behavior
- runtime trust-manifest checks and safer fail-closed handling for sensitive subsystems when integrity problems are detected
- imported extension safeguards, secure-context password handling, and trusted-source-aware download checks
- installer-based update coordination that can perform background checks and downloads where supported, while still using visible update behavior, HTTPS validation, and installer verification rather than a hidden silent updater service
- installer registration and update validation improvements that keep update handling in a browser-controlled flow
- accessibility page-tool restrictions so reading and selection helpers avoid running on unsupported or internal pages
- deferred startup initialization so slower background work can move off the first-window path without weakening the existing hardened runtime checks
- local-only localization loading that keeps language packs under a constrained application-owned locale root instead of exposing direct renderer file access
- strict locale JSON parsing, schema validation, and UTF-8 decoding checks before translations are accepted
- translation-string sanitization that strips control characters and dangerous bidirectional controls before UI rendering
- locale path normalization and root-confinement checks that prevent traversal outside the trusted
localestree - SHA-256 locale manifest verification that can reject tampered or corrupted locale packs
- locale fallback and inheritance resolution in the main process so malformed locale requests fail closed and safely fall back to trusted defaults
- startup recovery in
main.jsso polluted shell state such asELECTRON_RUN_AS_NODE=1cannot silently downgrade the browser into the wrong execution mode - development-only startup and localization performance capture hooks that remain opt-in and do not widen normal renderer privileges
This approach helps limit unnecessary network activity and reduces avoidable attack surface.
For security matters, use the project's private reporting path rather than public channels.
Community channels should not be used for security reports or for sharing logs that may contain private information.