Comment by radicaldreamer 10 months ago
Many engineers at SV startups use Arc on a daily basis. This bug could've resulted in the compromise of multiple companies, probably including crypto exchanges. A browser bug of this severity is extremely valuable, even for a niche browser like Arc.
There is also 3: putting a big bounty out signals other very smart and ingenious security researchers that Arc is a lucrative opportunity to make money. Till now it's been "safe" in relative obscurity so not a lot of people focused on hacking it or gave it a lot of effort because it wasn't worth their time.
It’s already going to be under the microscope now from black hats, so unless they want a catastrophic issue to result in user harm, they better get their act together.
> Many engineers at SV startups use Arc on a daily basis
Do we have adoption statistics?
It would seem prudent for the browser to be banned in professional environments. (I use Kagi's Orion browser as a personal browser on MacOS. My work is done in Firefox.)
> browser bug of this severity is extremely valuable, even for a niche browser like Arc
Absolutely. (Even if it were in beta.)
What I'm trying to say is the $2k payout sends a message. One, that The Browser Company doesn't take security seriously. And/or two, that they don't think they could pay out a larger number given the state of their codebase.
Side note: my favourite content on crisis management is this 2-minute video by Scott Galloway [1]. (Ignore the political colour.)
[1] https://www.youtube.com/watch?v=PB-AyvgE8Ns