SquareX Launches “Year of Browser Bugs” (YOBB) to Expose Critical Security Blind Spots

Groundbreaking initiative reveals browser vulnerabilities in understudied yet critical attack surface

SquareX, a pioneer in Browser Detection and Response (BDR) space, announced the launch of the “Year of Browser Bugs” (YOBB) project today, a year-long initiative to draw attention to the lack of security research and rigor in what remains one of the most understudied attack vectors – the browser.

The browser has evolved from a simple web rendering engine to being the new “endpoint” — the primary gateway through which users interact with the Internet, for work, leisure and transactions. Yet, traditional security solutions continue to focus on endpoints and networks despite the exponential growth of browser-native attacks.

The YOBB project was inspired by Month of Bugs (MOB), an iconic cybersecurity initiative where security researchers would publish one major vulnerability found in major software providers for every day of the month. MOB projects played a huge role in improving the gravity at which security and responsible disclosure is taken in these companies. Notable projects included the Month of Browser Bugs (July 2006), Month of Kernel Bugs (November 2006) and Month of Apple Bugs (January 2007). SquareX is bringing back this tradition with the YOBB to raise awareness on cyberthreats that the browser is vulnerable to. However, unlike H. D. Moore’s original Month of Browser Bugs that focused on software bugs in the browser itself, SquareX will be disclosing application layer attacks that can be delivered through any website, app or cloud data storage accessed through the browser.

Throughout 2025, SquareX’s research team will disclose at least one critical web attack per month as part of the YOBB project, focusing on vulnerabilities that exploit architectural limitations of the browser and incumbent solutions. The research will reveal never-seen-before attack vectors that remain unknown even to the cybersecurity community. Each disclosure will include attack video demonstrations, technical breakdowns, and mitigation strategies. These disclosures will be wholly SquareX-researched and discovered, rather than an aggregation of existing security research.

Under the YOBB initiative, SquareX has already made major releases since 2024 and into the first two months of 2025:

• 2025
  • January: SquareX Discloses “Browser Syncjacking”, a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk
  • February: SquareX Unveils Polymorphic Extensions that Morph Infostealers into Any Browser Extension – Password Managers, Wallets at Risk  
• 2024
  • August: SquareX Uncovers Critical Flaw in Secure Web Gateways
  • December: Cyberhaven’s OAuth Identity Attack — Are your Extensions Affected?

Quoting Vivek Ramachandran, the Founder and CEO of SquareX, “As browsers become the new endpoint, attackers are increasingly targeting employees to break into organizations and exfiltrate data, just like the Cyberhaven incident. Unfortunately, beyond mainstream media attention, there is little done by vendors from a security perspective to prevent similar exploits from happening in the future. The YOBB is our attempt to draw attention to an attack surface that is exponentially growing. We hope that this will serve as a call to action for browser and security vendors to solve these vulnerabilities that give rise to application layer attacks that simply cannot be solved through browser patches.” As the year progresses, security teams can expect monthly disclosures to be documented at https://sqrx.com/research.

Legal Disclaimer: The Editor provides this news content "as is," without any warranty of any kind. We disclaim all responsibility and liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. For any complaints or copyright concerns regarding this article, please contact the author mentioned above.