radicaldreamer 10 months ago

50k or 100k would be far more appropriate given the severity of this issue. But overall, this makes me think there's probably a lot more vulnerabilities in Arc that are undiscovered/unpatched.

Also, there's the whole notion of every URL you visit being sent to Firebase -- were these logged? Awful for a browser.

Reply View 1 reply
  • [removed] 10 months ago
    [deleted]
    Reply View 0 replies
ha470 10 months ago

Ya this is fair! Honestly this was our first bounty ever awarded and we could have been more thoughtful. We’re currently setting up a proper program and based on that rubric will adjust accordingly.

Reply View 3 replies
  • ARandomerDude 10 months ago

    > Honestly this was our first bounty ever awarded and we could have been more thoughtful

    That’s corporate speak for “no, we won’t pay the researcher any more money.”

    Reply View 0 replies
  • karlzt 10 months ago

    $200k for this big bug.

    Reply View 1 reply
    • karlzt 10 months ago

      My comment has been downvoted twice, but I don't see it grayed out, I wonder why.

      Reply View 0 replies