Arc
creator
The
Browser
Company
has
officially
started
a
bug
bounty
program
to
keep
its
growing
Chromium-based
browser’s
security
in
check.
The
company
is
also
launching
a
new
security
bulletin
to
maintain
“transparent
and
proactive
communication”
with
users
and
researchers
on
bug
fixes
and
reports.
These
security
revisions
followed
a
devastating
bug
a
researcher
found
and
reported
to
the
company
that
would’ve
allowed
bad
actors
to
insert
arbitrary
code
into
anyone’s
browser
just
by
knowing
their
easily
findable
user
ID.
The
problem
lived
inside
the
Arc
Boosts
feature
that
lets
you
customize
any
website
with
CSS
and
Javascript.
On
top
of
its
initial
mitigations,
the
company
says
it
now
has
disabled
Boosts
with
Javascript
by
default
and
added
a
new
global
toggle
to
turn
Boosts
off
completely
in
Arc
version
1.61.2.
The
researcher,
known
as
xyz3va,
was
initially
paid
a
$2,000
bounty
for
the
information.
Now,
with
the
new
program
in
place,
The
Browser
Company
is
upping
it
to
$20,000
retroactively.
The
vulnerability
was
patched
on
August
26th.
With
the
new
program,
security
researchers
can
submit
reports
and
get
rewards
based
on
the
bug’s
severity.
Low
severity
findings
that
are
“limited
scope”
or
“hard
to
exploit”
could
land
up
to
$500,
Medium
gets
up
to
$2,500,
High
up
to
$10,000,
and
Critical
earns
the
$20,000
ceiling.
The
blog
post
also
outlined
new
practices
to
find
other
vulnerabilities,
like
development
guidelines
with
additional
code
reviews,
adding
security-specific
code
audits,
and
hiring
new
staff
for
the
security
engineering
team.
(Originally posted by Umar Shakir)
Comments