October 1, 2024 at 06:35PM
The Browser Company has launched the Arc Bug Bounty Program to incentivize researchers to report vulnerabilities. This responds to a critical flaw allowing attackers to execute arbitrary code, leading to the prompt addressal of the issue and a $2,000 reward to the researcher. The bounty program offers varying rewards based on the flaw severity. Additionally, Arc has implemented security measures and will release new features while enhancing its security team.
From the meeting notes, I have summarized the following key points:
– The Browser Company introduced the Arc Bug Bounty Program to incentivize security researchers to report vulnerabilities and receive rewards.
– The program was launched in response to a critical remote code execution flaw, CVE-2024-45489, affecting Arc’s use of Firebase for authentication and database management.
– A researcher discovered a “catastrophic” flaw in the “Boosts” feature, allowing the execution of malicious JavaScript code in other users’ browsers.
– The flaw was promptly addressed after being responsibly disclosed to the Arc team, and the researcher was awarded $2,000.
– The bug bounty program covers Arc on macOS and Windows, as well as Arc Search on the iOS platform, with set payouts based on the severity of discovered flaws.
– Updates to address the issues include disabling auto-syncing of Boosts with JavaScript, adding a toggle to turn off all Boost-related features in Arc 1.61.2, and implementing a new MDM configuration option to disable Boosts for entire organizations.
– The Browser Company is conducting an audit of Arc’s backed systems and has outlined new measures for incident response, security team expansion, and enhanced coding guidelines.
Let me know if you need further information or have any specific questions.