Arc Creators Browser company has officially launched a bug bounty program to control the security of its evolving Chromium-based browser. The company also launched a new security advisory to maintain “transparent and proactive communication” with users and researchers about bug fixes and reporting.
These security fixes come on the heels of a devastating bug discovered and reported to the company by researchers that allowed bad actors to insert arbitrary code into anyone’s browser simply by knowing their easily found user ID. .
The problem lies within the Arc Boosts feature, which allows you to customize any website using CSS and Javascript. In addition to the initial mitigations, the company says that Boost for Javascript is now disabled by default and has added a new global switch to turn off Boost completely in Arc version 1.61.2.
The researcher, known as xyz3va, was initially awarded a $2,000 bounty for the information. Now, with the new plan in place, the browser company is retroactively raising it to $20,000. The vulnerability was fixed on August 26.
Through the new program, security researchers can submit reports and receive rewards based on the severity of their bugs. Low-severity findings that are “limited in scope” or “difficult to exploit” can cost up to $500, moderate can cost up to $2,500, high can cost up to $10,000, and severe can cost up to $20,000.
The blog post also outlines new practices for finding additional vulnerabilities, such as development guides that include additional code reviews, adding security-specific code reviews, and hiring new staff for the security engineering team.
