Old and fixed last year:
Timeline May 16th, 2020 — Initial report to HackerOne May 17th, 2020 — Remote exploit reported Jun 2nd, 2020 — Fix started Jun 16th, 2020 — Fix deployed Jun 18th, 2020 — Bounty assigned ($500) Aug 29th, 2020 — Reported reopened due to a regression Oct 23rd, 2020 — Fix re-deployed
Brave resolved the issue in v1.12.32, approximately 1 month after the initial report. However, this fix was reverted due to a regression in the way Brave dealt with local PDF files in v1.13.87. The final fix was then deployed 5 months after the initial report in v1.18.5.
Old and fixed last year:
Timeline
May 16th, 2020 — Initial report to HackerOne
May 17th, 2020 — Remote exploit reported
Jun 2nd, 2020 — Fix started
Jun 16th, 2020 — Fix deployed
Jun 18th, 2020 — Bounty assigned ($500)
Aug 29th, 2020 — Reported reopened due to a regression
Oct 23rd, 2020 — Fix re-deployed
Brave resolved the issue in v1.12.32, approximately 1 month after the initial report. However, this fix was reverted due to a regression in the way Brave dealt with local PDF files in v1.13.87. The final fix was then deployed 5 months after the initial report in v1.18.5.
(post is archived)