Hi there, Josh here, CEO of The Browser Company.
Last week, my cofounder Hursh shared an Incident Report about a vulnerability in Arc that was surfaced to us on Aug 25 and fixed on Aug 26. Although no users were affected, this was an important moment for us and for our members. We’ve taken this opportunity to level up our security and incident response practices across the company, and I wanted to share a one week update on our progress.
In that post, we shared nine changes that we were making, related to this specific vulnerability and organizationally, moving forward. Our team has since been working around the clock to learn and thoughtfully correct course. Talk is cheap in these moments and action is all that matters. Therefore I’d like to share the concrete changes we’ve made and will be continuing to make at The Browser Company.
Transparent and proactive communication
We’ve always strived to communicate transparently, thoughtfully, and clearly with our membership as we build Arc — and security is no different. Today, we’re releasing a new Security Bulletin, which will serve as the source of truth for all security incident reports. That includes technical write-ups, CVE numbers, mitigations, and impact assessments.
Furthermore, we have started and will continue to include all security-focused fixes in our release notes, which can always be found in the Arc Resource Center for Mac, Windows, and Mobile.
Bug Bounty Program
Secondly, we are launching the Arc Bug Bounty Program. Just as we’ve built Arc with our members, we recognize the invaluable role that the security research community plays in fortifying products and platforms like ours. You’ll find details for the Arc Bug Bounty Program here, including the rewards and submission guidelines. We’ve strived to make it the best it can be and know it will evolve — we’d always love to hear from you.
Alongside our new program, we have also taken the opportunity to increase the payment to the researcher for last week’s issue, aligning it with our new guidelines and our appreciation as a team.
Further mitigations for CVE-2024-45489
The root issue behind CVE-2024-45489 was patched on August 26, 2024, with no members affected. Over the past week, our team has continued to ship additional remediations and precautions specifically related to this incident, specifically:
- We’ve disabled Boosts with Javascript from being automatically enabled across synced devices — released in Arc 1.61.2.
- We’ve enabled a new global toggle to disable all Boost-related features in Advanced Settings — released in Arc 1.61.2.
- We’ve engaged an external audit firm to perform a comprehensive audit of our backend systems — starting with the area of access-control list (ACLs) and including all code changes in features related to recent vulnerabilities.
- We are in the process of enabling MDM configuration to disable Boosts for entire organizations, which the team will be releasing in the coming weeks.
Internal process improvements
Inside the team, we’re implementing new practices to help identify potential vulnerabilities earlier, and evolving our engineering posture to further enhance security while developing new features.
- New development guidelines. Our development team is instituting new guidelines including additional code reviews, defense-in-depth coding practices, and secure-by-design principles.
- Increasing security-specific code audits. In addition to our existing code reviews, we will implement additional security audits. These audits will be conducted by our Security team and outside auditing firms.
- Improving our approach to external audits. We are reconfiguring the way we partner with external security audit firms. They will be involved earlier in the release process to help with secure design feedback, and will undertake full code reviews of new features once they are completed. We will also increase the priority of potential issues that are surfaced, and create a new escalation path.
- Growing our internal security engineering team. We are welcoming a new hire to our Security team this coming Monday, with another role in the pipeline. If you’re interested in Security or SRE roles at The Browser Company we’d love to hear from you.
- Overhauling our incident response process. We are revamping our internal incident response processes to enable faster response times and improved communication. We’re strengthening the tracking and ownership of issues, revisiting our hotfix processes, and looping in our communications team as early as possible. We want to share information about security fixes with members as soon as possible, and for security researchers to have as strong of an experience as possible when working with our team to fix vulnerabilities.
- Committing to reducing technical debt. Building Arc has been a journey, and browsers are a complex piece of technology. As we continue on this journey, we want to be mindful that complexity can lead to security issues. We’ll be carefully reviewing our code base to find areas where we can reduce attack surface and improve overall code health. We’ve always been an experimental organization at The Browser Company, this change is important if we want to keep nimble with product development.
Showing up with heartfelt intensity
As a founder, it’s deeply personal to face up to an incident like this. This was our first major discovered vulnerability but—and I wince when I say it—it won’t be the last. All mature products unfortunately deal with these. How you handle and communicate them, and especially how you learn and grow from them, is what makes the difference in trusting a company and a product over the long term. Thanks for bearing with us on this particular bump in the road of Arc’s journey.