The Browser Company has rolled out a Bug Bounty Program for its Arc browser, aiming to engage security researchers in identifying vulnerabilities and offering rewards for their discoveries.

This initiative follows the exposure of a serious remote code execution flaw, labeled CVE-2024-45489, which could have allowed hackers to carry out large-scale attacks on Arc users. The vulnerability was tied to how Arc integrates Firebase for authentication and database management, making it possible for attackers to inject malicious code into users’ browsers.

A researcher uncovered a significant issue in Arc’s “Boosts” feature, which lets users customize websites using JavaScript. The flaw allowed attackers to manipulate Boosts by altering the creator ID, resulting in malicious code execution in another user’s browser when they visited a specific site.

Despite the flaw being active for some time, it was fixed promptly on August 26, 2024, just a day after the researcher disclosed it. The researcher was rewarded $2,000 for the responsible disclosure.

Arc Bug Bounty Program Details

The new Bug Bounty Program is open to security researchers focusing on Arc for macOS, Windows, and Arc Search for iOS. Rewards are categorized based on the severity of the reported issue:

Buy Me A Coffee
  • Critical: Full system access or high-impact exploits. Reward: $10,000 – $20,000
  • High: Major vulnerabilities compromising session integrity or exposing sensitive data. Reward: $2,500 – $10,000
  • Medium: Issues with moderate impact, such as partial access to data. Reward: $500 – $2,500
  • Low: Minor bugs requiring user interaction or limited scope. Reward: Up to $500
READ
Moscow Authorities Launch Criminal Case Against Creators of UPS Payment System and Cryptex Exchange

Researchers can visit the Arc website for more information on the Bug Bounty Program.

Security Enhancements and Future Plans

Following the CVE-2024-45489 incident, Arc has taken several security measures, including disabling the auto-syncing of Boosts with JavaScript. A new toggle feature allows users to turn off all Boost-related functions in the latest Arc version 1.61.2, released on September 26. Additionally, an external security audit is in progress to ensure the integrity of Arc’s backend systems.

The Browser Company has also announced upcoming features, including a new MDM configuration option to disable Boosts across entire organizations. Furthermore, new coding guidelines, improved incident response procedures, and an expanded security team are in the works to strengthen the browser’s security framework.

Since its launch just over a year ago, Arc has gained a strong following thanks to its customizable user interface, uBlock Origin integration, and fast performance. However, its rising popularity has also attracted cybercriminals who have used the platform to distribute malware to Windows users.