Arc adds security bulletins and bug bounties.

The company The Browser Company, creator of the Arc browser, has launched an official bug bounty program aimed at strengthening the security of its Chromium-based browser. As part of this effort, they have also released a new security bulletin intended to foster clear and proactive communication with users and researchers regarding fixes and bug reports.

This focus on security comes after a serious flaw was detected by a researcher, which could have allowed malicious attackers to inject arbitrary code into any user's browser simply by knowing their user ID, which is easily accessible. The vulnerability was located in the Arc Boosts feature, which allows users to customize any web page using CSS and JavaScript. To mitigate this issue, the company has disabled JavaScript Boosts by default and added a global option to completely disable this feature in version 1.61.2 of Arc.

The researcher, identified as xyz3va, originally received a reward of $2,000 for their discovery. With the implementation of the new bounty program, the company has decided to retroactively increase this amount to $20,000. The vulnerability was fixed on August 26.

The bounty program allows security researchers to submit reports and receive compensation based on the severity of the bugs. Low-severity vulnerabilities, which are of "limited scope" or "hard to exploit," can yield rewards of up to $500. Medium-severity findings can result in up to $2,500, high-severity vulnerabilities can yield up to $10,000, and critical vulnerabilities reach the maximum limit of $20,000.

Additionally, the announcement also mentions new practices for identifying other possible vulnerabilities, which include development guidelines with additional code reviews, specific security code audits, and hiring new personnel for the security engineering team.