The Browser Company has launched a Bug Bounty Program for its Arc Browser after quickly resolving a remote code execution (RCE) vulnerability, as announced by CEO Josh, highlighting their commitment to transparency and security.
CVE-2024-45489 was reported on August 25 and patched within 24 hours, with no users affected. The incident led to a thorough review of the company’s security practices. CEO Josh stated, “This was an important moment for us and our members,” emphasizing their commitment to improving security and incident response.
Arc Browser Launches Bug Bounty Program
The Arc Browser Company has launched the Arc Bug Bounty Program to engage the security research community in finding vulnerabilities. The program offers details on rewards and submission guidelines, and it will adapt based on feedback from participants.
In response to CVE-2024-45489, The Browser Company has implemented several security enhancements:
- JavaScript Boosts: Automatic enabling of JavaScript boosts across synced devices is no longer allowed in Arc version 1.61.2.
- Global Toggle: A new global toggle is added in Advanced Settings to disable all Boost-related features.
- External Audit: An external firm has been engaged to review backend systems, starting with access-control lists (ACLs).
- Internal Processes: The company is improving its internal processes to identify vulnerabilities earlier, emphasizing secure-by-design principles and defense-in-depth coding practices.
The company has improved its incident response processes for better communication and quicker response times. A new Security Bulletin will serve as the official source for all security incident reports, including technical details and impact assessments.
Leave A Comment