About security, here’s an example why it is not transparent and there’s any kind of SLA or KPIs for security releases.
Brave just released V1.5.113 a few hours ago. Changelog is the following:
Release Notes V1.5.113
- Upgraded Chromium to 80.0.3987.149. (#8728)
Chromium 80.0.3987.149 was released two days ago(!!) and the changelog is the following:
- [1051748] High CVE-2020-6422: Use after free in WebGL. Reported by David Manouchehri on 2020-02-13
- [1031142] High CVE-2020-6424: Use after free in media. Reported by Sergei Glazunov of Google Project Zero on 2019-12-05
- [1031670] High CVE-2020-6425: Insufficient policy enforcement in extensions. Reported by Sergei Glazunov of Google Project Zero on 2019-12-06
- [1052647] High CVE-2020-6426: Inappropriate implementation in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-02-16
- [1055788] High CVE-2020-6427: Use after free in audio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-02-25
- [1057593] High CVE-2020-6428: Use after free in audio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-02
- [1057627] High CVE-2020-6429: Use after free in audio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-02
- [1059349] High CVE-2019-20503: Out of bounds read in usersctplib. Reported by Natalie Silvanovich of Google Project Zero on 2020-03-06
- [1059686] High CVE-2020-6449: Use after free in audio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-09
Two full days (looks a little too much) to release such high-impacting security fixes (should it be released in maximum 24 hours? 48? is there any metric?) plus no reference to any security fixes in the official changelog
Unless I google it, by just reading the brave changelog I have no idea of the fixes (or if I was exposed and in the case I’m waiting for a fix for a known vulnerability, if it was deployed)