After a researcher reported an embarrassing flaw that could’ve been used to take over anyone’s browser, Arc has changed its approach to security.
Arc, the Chromium-based browser developed by The Browser Company, has officially launched a bug bounty program to enhance its security measures as the browser’s user base expands. The new initiative is designed to ensure the browser remains robust and secure, while fostering transparent communication with users and security researchers through regular security bulletins.
These updates come on the heels of a major security flaw that could have allowed malicious actors to inject arbitrary code into Arc users’ browsers simply by knowing their easily discoverable user ID. This vulnerability was brought to light by a security researcher, who reported the issue to the company.
The flaw was traced back to the Arc Boosts feature—a popular customization tool that lets users modify websites using CSS and JavaScript. While the feature offers great flexibility, it also introduced the potential for misuse. To address this, The Browser Company not only patched the vulnerability but also introduced further mitigations. In Arc version 1.61.2, JavaScript Boosts are now disabled by default, and users can take additional control with a global toggle that allows them to completely switch off Boosts across the browser.
Turning a Crisis into a Catalyst for Better Security
The security researcher, known as “xyz3va,” initially received a $2,000 bounty for their discovery. However, as part of its strengthened security focus, The Browser Company retroactively increased the reward to $20,000, reflecting the severity of the vulnerability. The fix for this critical issue was rolled out on August 26th.
Recognizing the importance of engaging with the security community, The Browser Company’s new bug bounty program will reward researchers for identifying vulnerabilities, offering rewards based on the severity of the findings. Low-severity issues, which may be limited in scope or difficult to exploit, can fetch up to $500. Medium-severity bugs can earn up to $2,500, while high-severity issues may bring in rewards of up to $10,000. The most critical vulnerabilities—those that pose a significant risk to user security—can now earn researchers up to $20,000.
Prioritizing Transparency and Proactivity
In addition to the bug bounty program, Arc is introducing a security bulletin to provide ongoing updates on vulnerabilities and bug fixes. This will ensure that both users and security researchers stay informed of potential risks and how the company is addressing them. The bulletin is part of Arc’s commitment to being “transparent and proactive” when it comes to security concerns.
The Browser Company also announced other proactive measures to reinforce the security of Arc. These include stricter development guidelines with enhanced code reviews, security-specific code audits, and the expansion of its security engineering team. By tightening internal processes and opening the doors to external contributions through the bounty program, Arc aims to set a new standard for browser security.
As Arc continues to grow in popularity, The Browser Company is demonstrating its commitment to staying ahead of potential threats. These initiatives, combined with the feedback and vigilance of the security community, will play a crucial role in keeping Arc secure for its users.
With these steps, Arc is positioning itself as not only an innovative browser but a secure one, ensuring its users can browse with confidence.
