最近,Arc 浏览器的开发公司 —— 浏览器公司(The Browser Company)宣布正式启动一项新的漏洞赏金计划,旨在提高其基于 Chromium 的浏览器的安全性。这项举措不仅是为了更好地保护用户,还希望通过与研究人员保持透明和主动的沟通,提升用户对安全问题的信任。
这次安全措施的推出,是在发现了一起严重漏洞后进行的。该漏洞由一位名叫 xyz3va 的研究人员发现,若不及时修复,恶意行为者可能会利用这一漏洞,通过用户的公开 ID,向任何人的浏览器中插入任意代码。这个问题出现在 Arc 的 Boosts 功能中,该功能允许用户用 CSS 和 Javascript 自定义任何网站。为了加强安全性,浏览器公司在更新版本1.61.2中,默认禁用了支持 Javascript 的 Boosts 功能,并增加了一个全局开关,以便用户可以完全关闭 Boosts。
在漏洞被报告后,浏览器公司初步给予研究人员2000美元的赏金,但随着漏洞赏金计划的启动,公司的补偿提高到了2万美元。这一漏洞在8月26日已成功修复。
新的赏金计划使得安全研究人员可以根据漏洞的严重性提交报告并获得相应的奖励。比如,对于低严重性、限制范围或难以利用的漏洞,奖励最高可达500美元;中等严重性漏洞可获得最高2500美元;高严重性漏洞可得到最高10000美元,而关键漏洞则能获得高达20000美元的奖励。
此外,浏览器公司还在其博客中详细列出了为发现其他漏洞而采取的新措施,包括开发指南、额外的代码审查、进行安全专项代码审计,以及招聘新的安全工程团队成员。这些措施不仅表明了公司的决心,也为提升整体安全性奠定了基础。
Recently, The Browser Company, the developer of the Arc browser, announced the official launch of a new bug bounty program aimed at enhancing the security of its Chromium-based browser. This initiative is not only designed to better protect users but also to improve their trust in security issues by maintaining transparent and proactive communication with researchers.
The introduction of this security measure came after the discovery of a severe vulnerability. The flaw was identified by a researcher named xyz3va, and if not patched promptly, malicious actors could exploit it to inject arbitrary code into anyone’s browser through their public ID. This issue was present in Arc’s Boosts feature, which allows users to customize any website with CSS and JavaScript. To bolster security, The Browser Company disabled the JavaScript-supporting Boosts feature by default in version 1.61.2 and added a global switch to allow users to completely turn off Boosts.
After the vulnerability was reported, The Browser Company initially awarded the researcher a bounty of $2,000, but with the launch of the bug bounty program, the company’s compensation has increased to $20,000. The vulnerability was successfully fixed on August 26th.
The new bounty program allows security researchers to submit reports and receive corresponding rewards based on the severity of the vulnerabilities. For instance, low severity, limited scope, or hard-to-exploit vulnerabilities can receive a reward of up to $500; medium severity vulnerabilities can get up to $2,500; high severity vulnerabilities can receive up to $10,000, and critical vulnerabilities can be awarded up to $20,000.
Furthermore, The Browser Company has detailed new measures taken to discover other vulnerabilities on its blog, including development guidelines, additional code reviews, conducting security-focused code audits, and hiring new members for the security engineering team. These measures not only demonstrate the company’s determination but also lay the foundation for enhancing overall security.
