YARR(-c) bug bounty programme

Arc, the browser aiming to differentiate itself from Google Chr… I mean other browsers, has launched a bug bounty programme.

This comes in handy as just a few weeks ago a ‘catastrophic’ vulnerability was found on Arc. The kind of bug that would allow someone to insert custom code in anyone’s browser. Is that the bad kind of bug? I can’t tell.

Anyhow.

The event obviously shook Arc CEO Josh Miller enough to create a security bulletin & a bounty programme.

From a product perspective, bug bounties are an interesting way to beef up a product using the general public’s collective intelligence and savoir-faire. Here are some famous bugs & their precious bounties:

• Apple’s iOS Zero-Day bug bounty (2019). Zerodium rewarded an anonymous researcher $2 million for a zero-click vulnerability that allowed remote code execution without user interaction.

• Google Pixel bug bounty (2016). Google rewarded the Alpha Team $200,000 for a bug that allowed remote control over a Google Pixel device.

• Facebook’s remote code execution bounty (2017). Facebook awarded Andrew Leonov $40,000 for discovering a vulnerability that allowed remote code execution via a tool Facebook was using for image processing.

But those are the rosy sides of bug bounty programmes. It so happens that bug bounties can also produce a decent amount of backlash, particularly if the company tries to cover up the breach, underpay its finders, or flat-out refuse to pay up.

Let’s see what our hackin’ friends dig up.