Comment by tnorthcutt 10 months ago
https://www.crunchbase.com/organization/the-browser-company/...
> Total Funding Amount $68M
the browser company normally does not do bug bounties, but for this catastrophic of a vuln, they decided to award me with $2,000 USD
I'm struggling to put into words how disappointing I find this.
Thanks for the reply! I think I disagree with you, mostly because it seems like this particular bug could have been company-destroying because of the potential reputation hit if it was exploited on a wide scale.
But regardless, I appreciate your perspective and it gives me some stuff to consider I hadn't previously.
I think we all know that tech debt often lives forever, so if you're going to start a browser company, you simply must be thinking about security/privacy from day one. If the VC model doesn't make that possible, then the only reasonable conclusion is that browsers shouldn't be a thing that VC funded startups work on.
I appreciate your response, and largely agree with you. But you can take security seriously without having a program in place to pay non employees for work they did without you asking them to.
Also, while I love companies that have bug bounty programs... I don't think any company without such a program is under any obligation to pay someone just because they volunteered their time without the company knowing about it or soliciting the work in any way.
So the fact that they did in this case, despite having no program, is what I'm choosing to focus on.
I want to share a personal anecdote to put my opinion into more perspective. I owned a small business operating a for-profit website for 18 years, for 15 of those years it was my primary source of income. I had no employees other than myself. It was just me on my own working from home. I earned enough to pay the bills, but I'm currently earning 2x what my business earned at its peak traffic by being an employee. So it's not like I had money to be paying people... it was pretty much an average software engineer's salary in terms of what I brought in.
Anyway, over those 18 years I had a few dealings with some white-hats who were very nice and clued me in to some issues. I thanked them and when they politely asked if "we" (because they didn't know any better) had a program it was a non-issue when I explained that I'm too broke as a one-person shop trying to feed a family to be paying out anything substantial but I could PayPal a cup of coffee or something for their trouble. But then I had a few dealings with complete shady assholes who tried to extort money out of me by threatening to exploit what they had found and go public and basically drag my reputation through the mud.
Experiences with the latter group make me sympathize a lot more with companies that decide to have a policy of just blanket not dealing with outside security researchers, to take the information and then deal with the fixes internally and quietly.
This is 100% company culture, probably the ones that decide this kind of things are not technical or don't understand how important is this.
They disclosed the vulnerability directly to the co-founder CTO.
> the timeline for the vulnerability:
> aug 25 5:48pm: got initial contact over signal (encrypted) with arc co-founder hursh
> aug 25 6:02pm: vulnerability poc executed on hursh's arc account
Arc is a great product, it's the nicest web browser to use, you can tell these people are really good at their jobs in many respects (though apparently not security?!?). probably a lot of investors saw that too and are willing to fund a very strong team with the hope of eventual product-market fit.
I've got a different take. If they're in the VC phase, that means they are not self sufficient. The amount of funding that they've raised is no indication what-so-ever of a) how much of that funding has actually been realized / received b) what their overhead is and c) what their overall financial picture looks like.
I do wish that more companies would take privacy and security seriously. And bug bounty programs are great. But they're not always within the budget of companies and the fact that they decided to award this security researcher regardless of having no such program is a massive win in my opinion and shows how much they value this particular contribution.