最近，Arc 瀏覽器的開發(fā)公司 —— 瀏覽器公司（The Browser Company）宣布正式啟動一項新的漏洞賞金計劃，旨在提高其基于 Chromium 的瀏覽器的安全性。這項舉措不僅是為了更好地保護用戶，還希望通過與研究人員保持透明和主動的溝通，提升用戶對安全問題的信任。

這次安全措施的推出，是在發(fā)現(xiàn)了一起嚴重漏洞后進行的。該漏洞由一位名叫 xyz3va 的研究人員發(fā)現(xiàn)，若不及時修復，惡意行為者可能會利用這一漏洞，通過用戶的公開 ID，向任何人的瀏覽器中插入任意代碼。這個問題出現(xiàn)在 Arc 的 Boosts 功能中，該功能允許用戶用 CSS 和 Javascript 自定義任何網(wǎng)站。為了加強安全性，瀏覽器公司在更新版本1.61.2中，默認禁用了支持 Javascript 的 Boosts 功能，并增加了一個全局開關，以便用戶可以完全關閉 Boosts。

在漏洞被報告后，瀏覽器公司初步給予研究人員2000美元的賞金，但隨著漏洞賞金計劃的啟動，公司的補償提高到了2萬美元。這一漏洞在8月26日已成功修復。

新的賞金計劃使得安全研究人員可以根據(jù)漏洞的嚴重性提交報告并獲得相應的獎勵。比如，對于低嚴重性、限制范圍或難以利用的漏洞，獎勵最高可達500美元;中等嚴重性漏洞可獲得最高2500美元;高嚴重性漏洞可得到最高10000美元，而關鍵漏洞則能獲得高達20000美元的獎勵。

此外，瀏覽器公司還在其博客中詳細列出了為發(fā)現(xiàn)其他漏洞而采取的新措施，包括開發(fā)指南、額外的代碼審查、進行安全專項代碼審計，以及招聘新的安全工程團隊成員。這些措施不僅表明了公司的決心，也為提升整體安全性奠定了基礎。

Recently, The Browser Company, the developer of the Arc browser, announced the official launch of a new bug bounty program aimed at enhancing the security of its Chromium-based browser. This initiative is not only designed to better protect users but also to improve their trust in security issues by maintaining transparent and proactive communication with researchers.

The introduction of this security measure came after the discovery of a severe vulnerability. The flaw was identified by a researcher named xyz3va, and if not patched promptly, malicious actors could exploit it to inject arbitrary code into anyone’s browser through their public ID. This issue was present in Arc’s Boosts feature, which allows users to customize any website with CSS and JavaScript. To bolster security, The Browser Company disabled the JavaScript-supporting Boosts feature by default in version 1.61.2 and added a global switch to allow users to completely turn off Boosts.

After the vulnerability was reported, The Browser Company initially awarded the researcher a bounty of $2,000, but with the launch of the bug bounty program, the company’s compensation has increased to $20,000. The vulnerability was successfully fixed on August 26th.

The new bounty program allows security researchers to submit reports and receive corresponding rewards based on the severity of the vulnerabilities. For instance, low severity, limited scope, or hard-to-exploit vulnerabilities can receive a reward of up to $500; medium severity vulnerabilities can get up to $2,500; high severity vulnerabilities can receive up to $10,000, and critical vulnerabilities can be awarded up to $20,000.

Furthermore, The Browser Company has detailed new measures taken to discover other vulnerabilities on its blog, including development guidelines, additional code reviews, conducting security-focused code audits, and hiring new members for the security engineering team. These measures not only demonstrate the company’s determination but also lay the foundation for enhancing overall security.