The Browser Company has rolled out a Bug Bounty Program for its Arc browser, aiming to engage security researchers in identifying vulnerabilities and offering rewards for their discoveries.
This initiative follows the exposure of a serious remote code execution flaw, labeled CVE-2024-45489, which could have allowed hackers to carry out large-scale attacks on Arc users. The vulnerability was tied to how Arc integrates Firebase for authentication and database management, making it possible for attackers to inject malicious code into users’ browsers.
A researcher uncovered a significant issue in Arc’s “Boosts” feature, which lets users customize websites using JavaScript. The flaw allowed attackers to manipulate Boosts by altering the creator ID, resulting in malicious code execution in another user’s browser when they visited a specific site.
Despite the flaw being active for some time, it was fixed promptly on August 26, 2024, just a day after the researcher disclosed it. The researcher was rewarded $2,000 for the responsible disclosure.
Arc Bug Bounty Program Details
The new Bug Bounty Program is open to security researchers focusing on Arc for macOS, Windows, and Arc Search for iOS. Rewards are categorized based on the severity of the reported issue:
- Critical: Full system access or high-impact exploits. Reward: $10,000 – $20,000
- High: Major vulnerabilities compromising session integrity or exposing sensitive data. Reward: $2,500 – $10,000
- Medium: Issues with moderate impact, such as partial access to data. Reward: $500 – $2,500
- Low: Minor bugs requiring user interaction or limited scope. Reward: Up to $500
Researchers can visit the Arc website for more information on the Bug Bounty Program.
Security Enhancements and Future Plans
Following the CVE-2024-45489 incident, Arc has taken several security measures, including disabling the auto-syncing of Boosts with JavaScript. A new toggle feature allows users to turn off all Boost-related functions in the latest Arc version 1.61.2, released on September 26. Additionally, an external security audit is in progress to ensure the integrity of Arc’s backend systems.
The Browser Company has also announced upcoming features, including a new MDM configuration option to disable Boosts across entire organizations. Furthermore, new coding guidelines, improved incident response procedures, and an expanded security team are in the works to strengthen the browser’s security framework.
Since its launch just over a year ago, Arc has gained a strong following thanks to its customizable user interface, uBlock Origin integration, and fast performance. However, its rising popularity has also attracted cybercriminals who have used the platform to distribute malware to Windows users.
Bijay Pokharel
Related posts
Recent Posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.