Ask HN: CVEs Comparison Brave vs. Firefox. Incorrect CVEs for Brave?

I am trying to compare Brave Browser to Firefox, on the security dimension.

One of the metrics I am looking at is the number of CVEs.

It's obviously an imperfect metrics (they all are), but I thought it might be useful.

Over the last 2 years:

- Chrome has [648 CVE](https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=&product_id=3264&startdate=2022-03-25&enddate=2024-03-25)

- Firefox has [380 CVE](https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=&product_id=3264&startdate=2022-03-25&enddate=2024-03-25)

- Brave has [2 CVE](https://www.cvedetails.com/version-list/0/65025/1/?q=Brave+Browser)

How should I think of the Brave/Chrome CVEs?

I assume that most Chrome CVEs affect Brave as well (since they share the Chromium codebase), so it seems like the numbers of Brave CVE is incorrect?

CVE numerology is not a good way to assess comparative security. A search of the comments of local CVE enjoyer tptacek is a decent jumping-off point:

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

WorldDev · a year ago

Yes, I have seen that argument often. I agree number of CVEs is a very rough metric. However, I am still confused as to why none of Chrome's CVEs would be Brave's CVEs?

pvg · a year ago

very rough metric

The argument is, fundamentally, that it's not even that. It's not a rough proxy for the thing you want to evaluate, it's not any kind of proxy for it at all - that's a qualitatively different argument from your restatement of it.

If you want a very rough comparative proxy, an obvious one is 'Brave is a much smaller downstream consumer of Chrome, Chrome has a larger security team/infrastructure than Brave has employees'. I think you can draw more meaningful conclusions from that alone than from CVE tallies.