Arc Browser adds security features and bug fixes

The creator of Arc Browser Company has officially started a bug bounty program to keep the security of the Chromium-based browser growing strong. The company also introduced a new security report to maintain “transparent and continuous communication” with users and researchers on bug fixes and reports.

These security updates followed a serious bug a researcher discovered and reported to the company that would allow bad actors to inject malicious code into anyone’s browser by knowing their easily accessible user ID.

The problem lay within the Arc Booss feature that allows you to customize any website with CSS and Javascript. Despite its initial mitigations, the company says it has now disabled Boosts with Javascript by default and added a new global change to disable Boosts entirely in Arc version 1.61.2.

The researcher, known as xyz3va, was initially paid a $2,000 bonus for the information. Now, with a new program available, the Browser Company adds up to $20,000 over and over again. The vulnerability was resolved on August 26.

With the new system, security researchers can submit reports and receive rewards based on the severity of the bug. Low-criticality findings of “moderate severity” or “difficult to implement” can receive up to $500, Medium receives $2,500, High receives up to $10,000, and Critical receives a ceiling of $20,000.

The blog post also outlined new processes for finding other vulnerabilities, such as development guidelines with more code reviews, adding security-specific code testing, and hiring new security engineering team members.