Security researchers can now make money by finding bugs in the Arc browser, the company has revealed.
The Browser Company, the owners and operators of the software, announced a new bounty program to help them close dangerous holes.
Rather unimaginatively called the Arc Bug Bounty program, users can search for bugs on macOs and Windows, and in Arc Search on the iOS platform.
Errors in the Arc browser
Depending on the severity of the discovered vulnerability, researchers can expect different payouts.
Low severity issues can pay out up to $500, medium issues pay out anywhere from $500 to $2,500, while high issues pay out between $2,500 and $10,000. Discovering a critical vulnerability, which grants full system access or could otherwise have a significant impact, will yield anywhere from $10,000 to $20,000.
The Browser Company decided to set up its own bug bounty program after being tipped off about CVE-2024-45489.
This was a critical vulnerability affecting versions prior to 2024-08-26, allowing remote code execution via JavaScript boosts. In the Arc browser, “Boosts” are tools that allow users to customize websites by changing their appearance or functionality.
The issue stems from misconfigured Firebase Access Control Lists (ACLs), which allow attackers to create or update a JavaScript boost using another user’s ID. This leads to malicious installation of the boost in the victim’s browser, where arbitrary code is executed with elevated privileges. Despite its severity, this vulnerability is categorized as a “no action” issue, meaning no affected users due to cloud security. This is also likely why the researcher who exposed the vulnerability was only paid $2,000 for his discovery.
The bug was fixed in late August 2024 by disabling the automatic sync of boosts with JavaScript. Additionally, late last month the team added a toggle to disable all Boost-related features.
Via BleepingComputer