It's normal in any open source project to keep security mailing lists and things of that nature private. And for good reasons.
One of the reasons is they are dealing with security related bug reports. Public disclosure before having a fix in place puts users at risk.
Besides that 'security' is a process that all groups are responsible for. So it can't help being _developed_ in the open if the project is open. Which Brave is.
I agree with the above. I guess I interpreted the comment as saying some code parts of Brave are not open for security reasons. I don't actually know whether this is true or not.
Code wise, sure, but if you're discussing a 0-day in the wild, you may want to keep it private while you work out the details and the solution, otherwise you're inviting more abuse.
One of the reasons is they are dealing with security related bug reports. Public disclosure before having a fix in place puts users at risk.
Besides that 'security' is a process that all groups are responsible for. So it can't help being _developed_ in the open if the project is open. Which Brave is.