Arc Browser adds security bulletins and bug bounties

Arc creator The Browser Company has officially started a bug bounty program to support its increasing Chromium-based browser’s information successful check. The institution is besides launching a caller information bulletin to support “transparent and proactive communication” with users and researchers connected bug fixes and reports.

These information revisions followed a devastating bug a researcher recovered and reported to the institution that would’ve allowed atrocious actors could insert arbitrary codification into anyone’s browser conscionable by knowing their easy findable idiosyncratic ID.

The occupation lived wrong the Arc Boosts diagnostic that lets you customize immoderate website with CSS and Javascript. On apical of its archetypal mitigations, the institution says it present has disabled Boosts with Javascript by default and added a caller planetary toggle to crook Boosts disconnected wholly successful Arc mentation 1.61.2.

The researcher, known arsenic xyz3va, was initially paid a $2,000 bounty for the information. Now, with the caller programme successful place, The Browser Company is upping it to $20,000 retroactively. The vulnerability was patched connected August 26th.

With the caller program, information researchers tin taxable reports and get rewards based connected the bug's severity. Low severity findings that are “limited scope” oregon “hard to exploit” could onshore up to $500, Medium gets up to $2,500, High up to $10,000, and Critical earns the $20,000 ceiling.

The blog station besides outlined caller practices to find different vulnerabilities, similar improvement guidelines with further codification reviews, adding security-specific codification audits, and hiring caller unit for the information engineering team.