Thursday, 26 Dec 2024

Arc browser adds security bulletins and bug bounties

Arc creator The Browser Company has officially started a bug bounty program to keep its growing Chromium-based browser’s security in check. The company is also launching a new security bulletin to maintain “transparent and proactive communication” with users and researchers on bug fixes and reports.These security revisions followed a devastating bug a researcher found and reported to the company that would’ve allowed bad actors to insert arbitrary code into anyone’s browser just by knowing their easily findable user ID. The problem lived inside the Arc Boosts feature that lets you customize any website with CSS and Javascript. On top of its initial mitigations, the company says it now has disabled Boosts with Javascript by default and


Arc browser adds security bulletins and bug bounties
1.2 k views

Arc creator The Browser Company has officially started a bug bounty program to keep its growing Chromium-based browser's security in check. The company is also launching a new security bulletin to maintain "transparent and proactive communication" with users and researchers on bug fixes and reports.

These security revisions followed a devastating bug a researcher found and reported to the company that would've allowed bad actors to insert arbitrary code into anyone's browser just by knowing their easily findable user ID.

The problem lived inside the Arc Boosts feature that lets you customize any website with CSS and Javascript. On top of its initial mitigations, the company says it now has disabled Boosts with Javascript by default and added a new global toggle to turn Boosts off completely in Arc version 1.61.2.

The researcher, known as xyz3va, was initially paid a $2,000 bounty for the information. Now, with the new program in place, The Browser Company is upping it to $20,000 retroactively. The vulnerability was patched on August 26th.

With the new program, security researchers can submit reports and get rewards based on the bug's severity. Low severity findings that are "limited scope" or "hard to exploit" could land up to $500, Medium gets up to $2,500, High up to $10,000, and Critical earns the $20,000 ceiling.

The blog post also outlined new practices to find other vulnerabilities, like development guidelines with additional code reviews, adding security-specific code audits, and hiring new staff for the security engineering team.

you may also like

Mom's message in a bottle found by her own daughter 26 years later
  • by foxnews
  • descember 09, 2016
Mom's message in a bottle found by her own daughter 26 years later

A fourth grader went on a school trip when someone found a message in a bottle containing a letter that was written by her mom 26 years ago. The message was tossed into the Great Lakes.

read more