Arc Browser Unveils Bug Bounty Program Following Critical Security Flaw Fix

The Browser Company has announced an exciting development: the launch of its Arc Bug Bounty Program, designed to motivate security researchers to identify and report vulnerabilities within the Arc Browser. This initiative comes hot on the heels of addressing a serious remote code execution (RCE) vulnerability, labeled CVE-2024-45489, which posed a significant risk to the safety of its users.

This flaw exploited a critical aspect of Arc’s integration with Firebase for user authentication and database management, thereby allowing cybercriminals to execute arbitrary commands on users’ browsers. Researchers identified this vulnerability as a "catastrophic" issue related to the "Boosts" feature, which lets users customize web pages using JavaScript. Unfortunately, malicious actors could hijack this feature by changing the creator ID of a Boost, enabling them to execute harmful scripts on the browsers of unsuspecting users.

The Browser Company acted swiftly, fixing the vulnerability within a day of its responsible disclosure by a researcher, who was justly rewarded $2,000 for their efforts.

Details on the Bug Bounty Program

The Bug Bounty Program covers Arc on both macOS and Windows platforms and Arc Search within iOS. Payouts for reported vulnerabilities are categorized by severity:

**Critical**: Full system access or high-impact exploits (no user interaction needed) — Reward: $10,000 - $20,000

**High**: Serious issues that impact session integrity, expose sensitive data, or allow system takeover — Reward: $2,500 - $10,000

**Medium**: Vulnerabilities affecting multiple tabs or having limited data impact (may require user interaction) — Reward: $500 - $2,500

**Low**: Minor issues that necessitate significant user interaction or are limited in scope — Reward: Up to $500

For a comprehensive overview of the Bug Bounty Program, more details can be found on the official Arc website.

In light of CVE-2024-45489, the Arc team stated they have disabled auto-syncing for Boosts that feature JavaScript and additionally introduced a toggle to deactivate all Boost-related functionalities in the latest version, Arc 1.61.2, launched on September 26.

Moreover, an external auditing firm will conduct a thorough review of Arc's backend systems to ensure heightened security measures. A new Mobile Device Management (MDM) configuration option will soon be made available, allowing organizations to disable Boosts entirely, enhancing security across its user base.

To further bolster their security framework, the Browser Company is refining their coding guidelines to prioritize auditing and security reviews, revamping their incident response process for improved efficiency, and expanding their security team with new hires. This proactive approach signals the company’s strong commitment to safeguarding user data and reinforcing trust in the Arc Browser.

Stay tuned for updates as the Arc Bug Bounty Program progresses, and if you're a security researcher, this is your chance to contribute to a safer web experience!