Arc creator The Browser Company has officially launched a bug bounty program to keep a lid on the security of its growing Chromium-based browser. The company is also releasing a new security bulletin to maintain “transparent and proactive communication” with users and researchers about bug fixes and reports.
These security revisions followed a devastating flaw that a researcher found and reported to the company, which would have allowed attackers to inject arbitrary code into any user's browser simply by knowing the easily discoverable user ID.
The problem lay in the Arc Boosts feature, which allows you to customize any website using CSS and Javascript. In addition to the initial mitigations, the company says it has now disabled boosts with Javascript by default and added a new global switch to turn off boosts completely in Arc version 1.61.2.
The researcher, named xyz3va, initially received a $2,000 bounty for the information. Now that the new program is in place, The Browser Company is retroactively increasing the amount to $20,000. The vulnerability was fixed on August 26th.
The new program allows security researchers to submit reports and receive rewards based on the severity of the bug. Low severity findings that are “limited in scope” or “difficult to exploit” could fetch up to $500, medium up to $2,500, high up to $10,000, and critical findings the cap of $20,000. Dollar.
The blog post also outlined new approaches to finding other vulnerabilities, such as development guidelines with additional code reviews, adding security-specific code audits, and hiring new employees for the security engineering team.