Arc Browser Announces Bug Bounty Program Following RCE Vulnerability


The Browser Company has launched a Bug Bounty Program for its Arc Browser following the discovery and swift resolution of a remote code execution (RCE) vulnerability.

CEO Josh made the announcement, emphasizing the company’s commitment to transparency and proactive security measures.

EHA

CVE-2024-45489: A Swift Response

The vulnerability, CVE-2024-45489, was reported on August 25 and patched within 24 hours. Although no users were affected, the incident prompted a comprehensive review of the company’s security practices.

“This was an important moment for us and our members,” said Josh. “We’ve taken this opportunity to level up our security and incident response practices across the company.”

Launch of the Bug Bounty Program

The Arc Browser Company has introduced the Arc Bug Bounty Program to recognize the critical role of the security research community.

This initiative aims to engage researchers in identifying potential vulnerabilities before they can be exploited. Details about rewards and submission guidelines are now available, with the program designed to evolve based on participant feedback.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

Further Mitigations and Internal Improvements

In response to CVE-2024-45489, additional security measures have been implemented:

  • Boosts with JavaScript are no longer automatically enabled across synced devices in Arc version 1.61.2.
  • global toggle to disable all Boost-related features has been introduced in Advanced Settings.
  • An external audit firm has been engaged to conduct a comprehensive review of backend systems, focusing initially on access-control lists (ACLs).

Internally, The Browser Company is enhancing its processes to identify vulnerabilities earlier. New development guidelines emphasize defense-in-depth coding practices and secure-by-design principles.

The frequency of security-specific code audits involving internal teams and external firms will increase.

Commitment to Transparency and Security

The company has also revamped its incident response processes to improve communication and response times.

A new Security Bulletin will be the authoritative source for all security incident reports, including technical write-ups and impact assessments.

As The Browser Company continues its journey with Arc, it remains committed to reducing technical debt and maintaining an agile approach to product development.

With ongoing efforts to strengthen its security posture, the company invites those interested in security roles to join its team.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration



Source link