Arc Browser Introduces Bug Bounty Program and Security Bulletins

Arc Creator The Browser Company Launches Bug Bounty Program

The Browser Company, known for its innovative Chromium-based browser, Arc, has launched an official bug bounty program. This initiative aims to enhance the browser's security measures within a rapidly evolving digital environment. The company has also introduced a new security bulletin to maintain transparent and proactive communication with users and security researchers regarding bug fixes and reports.

Background on the Security Issue

This new security initiative is in response to a significant vulnerability identified by a researcher, which had the potential to allow malicious actors to insert arbitrary code into users’ browsers merely by obtaining their easily accessible user IDs. This severe issue was linked to the Arc Boosts feature, which enables users to customize any website with CSS and JavaScript. In response, The Browser Company has introduced several critical updates:

• Disabling Boosts with JavaScript by default.
• Implementing a new global toggle to disable Boosts entirely.
• Releasing Arc version 1.61.2 to enforce these changes.

Details of the Vulnerability and Bounty Payment

The researcher, known as xyz3va, initially received a $2,000 bounty for reporting this critical vulnerability. Following the launch of the new bug bounty program, The Browser Company is retroactively increasing the bounty to $20,000. The vulnerability was officially patched on August 26th.

New Bug Bounty Program and Rewards Structure

With the inaugural bug bounty program, The Browser Company is inviting security researchers to report vulnerabilities, with a reward system based on the severity of the findings. Here’s a breakdown of the reward structure:

• Low severity findings: Up to $500 for limited scope or hard-to-exploit vulnerabilities.
• Medium severity findings: Up to $2,500.
• High severity findings: Up to $10,000.
• Critical findings: A maximum reward of $20,000.

Future Practices for Enhanced Security

In addition to the bug bounty program, The Browser Company outlined several new practices aimed at identifying and mitigating potential vulnerabilities:

• Establishing development guidelines accompanied by further code reviews.
• Commissioning security-specific code audits.
• Hiring additional staff for the security engineering team.

Conclusion

The Browser Company’s proactive approach to browser security through the new bug bounty program exemplifies its commitment to creating a secure user experience. With the community’s involvement, it aims to swiftly identify and address potential threats, ultimately fortifying its innovative browser platform.