Arc Browser Enhances Security with Bug Bounties and Transparent Bulletins

Highlights

Arc browser now offers a bug bounty program and transparent bulletins, strengthening security and communication with users and researchers.

The Browser Company, creator of the Arc browser, has launched a bug bounty program to bolster the security of its Chromium-based browser. In addition, they’ve introduced a new security bulletin to ensure transparent communication with users and researchers about vulnerabilities and bug fixes.

These security measures come after a researcher reported a critical flaw that could have allowed malicious actors to insert arbitrary code into any browser, using easily discoverable user IDs. The issue stemmed from the Arc Boosts feature, which helps the customization of the website using CSS and JavaScript. As a result, Arc has now disabled JavaScript Boosts by default and added a global toggle to disable Boosts entirely in version 1.61.2.

The earlier report was made by researcher xyz3va, who originally awarded $2,000 for discovering the vulnerability. With the new bug bounty program in place, The Browser Company has increased this reward to $20,000 retroactively. The vulnerability was patched on August 26th.

Under the new bug bounty initiative, researchers are encouraged to report vulnerabilities for monetary rewards based on the bug severity. Low-severity findings can earn up to $500, medium up to $2,500, high up to $10,000, and critical bugs up to $20,000.

The company has also outlined additional practices to strengthen its security infrastructure, including enhanced development guidelines, more comprehensive code reviews, dedicated security audits, and expanding its security engineering team. These steps mark a proactive move to ensure Arc's safety and reliability.