Arc Bounty Program
At The Browser Company of New York, we care deeply about safeguarding the security and privacy of everyone who uses Arc. We also recognize the security research community’s invaluable role in this mission. If you spot a vulnerability, we want to hear about it—and are eager to make things right. Your work helps us build a safer, more secure, trustworthy browsing experience for all.
This page outlines how we collaborate with and reward external researchers, please take a moment to review our Bug Bounty Program Terms for any additional details not covered here.
How to Submit your Research
If you believe you’ve identified a security or privacy issue that affects BCNY products, services, or software, here’s how you can report it to us:
- Submit your report to [email protected] with a detailed description of the vulnerability. Include any supporting evidence, such as:
- A technical breakdown of the behavior you’ve observed
- Steps to reproduce the issue
- A proof of concept or exploit (if applicable)
- Keep the details private: Please don’t publicly disclose the vulnerability until we’ve had a chance to review and address it - this helps to safeguard the security of Arc users.
- Collaborate in good faith: We ask for a reasonable amount of time to investigate and fix the issue. Please do not exploit the vulnerability or misuse any data that may be compromised.
- Coordinate public disclosure (if applicable): Once the issue has been resolved, we’re happy to discuss coordinated public disclosure, but only after ensuring the security of our users.
Our Commitment to You
- We’ll acknowledge receipt of your report within 1 business day.
- Our engineers will review and investigate every submission.
- Depending on the severity and impact, you may receive recognition or rewards through our bug bounty program.
Scope
This policy applies to the following:
Clients
- Arc on macOS and Windows
- Arc Search for iOS
Domains
- arc.net
- bcny.com
- thebrowser.company
Bounty Categories
If you submit research for a vulnerability and it meets our eligibility criteria, BCNY will award a bounty. The BCNY Bounty program is designed to recognize your work in helping us protect the security and privacy of our users.
Our Bounty reward payments are made at BCNY’s sole discretion and are based on the severity and impact of the vulnerability, and the quality of the submission. A high-quality research report is critical to help us confirm and address an issue quickly, and could help you receive a Bounty reward.
The examples shown for each category are representative of potential BCNY Bounty payments. However, we recognize that certain factors may necessitate higher or lower rewards. Therefore, discretion may be used in determining the final payout, taking into account the specific context of each vulnerability.
Severity | Description | Reward Range |
---|---|---|
Critical | Vulnerabilities that grant full system access and allow access to both non-Arc and Arc data, or an exploit with extraordinary impact (e.g., triggered without user interaction). | $10,000 - $20,000 |
High | Serious security issues that compromise session integrity, expose sensitive data from other domains, or cause memory corruption allowing attackers to take over a user’s device or system. Exploits in browser extensions with elevated permissions may also fall under this category. | $2,500 - $10,000 |
Medium | Vulnerabilities that may affect multiple browser tabs or cause limited impact to user sessions or data, or allow unauthorized access to some sensitive information without user consent. Some user interaction may be required. | $500 - $2,500 |
Low | Minor issues requiring significant user interaction, or configuration errors like insecure default settings. Vulnerabilities with limited scope or that are hard to exploit may also fall under this category. | Up-to $500 |
For any questions or further clarification, please contact us directly at [email protected].
Keeping Arc Secure
Your browser is a portal to the whole internet, and everything in it. So ensuring your browser is airtight, and secure as it can possibly be, is of incredible importance to us.
We’re a small (but mighty) team working to ensure you never have to worry that your data is being misused, misappropriated, or sold in ways you’re not aware of.
But don’t take our word for it. Below, we’ve listed everything we can think of that you might want to know about our security practices. For more on privacy, click here.
And if you have any questions, just shoot us an email at any time at [email protected]. We’re all ears!
Outside Security Assessments
Since we are a small security team, we’ve contracted with Latacora to do regular outside security reviews and trainings across a wide range of different systems:
- Corporate systems
- Infrastructure
- Build and tooling systems
- Full codebase audits
- Desktop and mobile apps
Browser Engine
Building a browser from the ground up is really hard, which is why Arc is built on Chromium — the same engine that powers Google Chrome and Microsoft Edge. So, Arc benefits from the same foundation that makes those browsers reliable and secure. But since Chromium is open source, we can augment it to further protect your privacy. Click here for more on the differences between Chromium and Chrome.
As for security, Chromium is constantly updated with security fixes for new vulnerabilities, and we take staying up to date with the newest version of Chromium very seriously. We even have a dedicated team of lovely Chromium engineers! Our upgrade process guarantees that Arc is always using the latest version of Chromium within 48 hours of a new version or hotfix being released.
List of Disabled Chromium Features
- Google Accounts Integration (GAIA) disabled
- Chromium won’t send requests for accounts on startup to accounts.google.com
- No syncing of Chromium profiles, cookies, passwords, bookmarks to Google via your Google account
- Google metrics (UMA) reporting is disabled
- No session fingerprinting
- No logging of your browsing activities (creating bookmarks, searching, autofills, links you click, etc.)
- No telemetry or crash report data is sent to Google
- Uploading settings after resetting profile is disabled
- Reporting Observers and Reporting API are disabled
- Network logging to file is disabled
Infrastructure
Arc uses GCP Firebase for user authentication, storage for Notes & Easels, and Cloud Functions for certain application features like referral code generation. All data stored in Firebase is encrypted-at-rest by default.
Direct access to any production data is limited to a few select teams based on their roles. Access is logged and reviewed at regular intervals. We store as little PII as possible and routinely audit our data to ensure we’re not storing anything sensitive. Please see the privacy policy for a list of what user data is stored.
Logging & Analytics
Over the course of using the Browser, we collect certain telemetry data related to internal actions that the Browser is taking and actions that cause the Browser to crash. We collect this information to improve the Browser and understand categories of issues that members are experiencing.
Our philosophy for analytics is that they should be helpful in improving the product while simultaneously protecting member privacy. To ensure this, we do NOT log the following:
Data Categories We Don’t Log | Examples |
---|---|
Personally-identifiable information (PII) | Email address, name |
Information about what members are viewing | URLs, bookmarks, page content, history |
User-generated content | Note text, Easels, space names, search terms |
Logs are stored for 30 days in our third-party provider Datadog and is encrypted in transit. Access to logs is locked down to only BCNY employees whose roles require access. We have automated monitoring and alerting for any unauthorized access attempts to any logs. We routinely run internal audits of access to logs to ensure that BCNY employees only have access to information they need to complete their jobs.
Third-party tools used
- Sentry for collecting analytics data from crashes and other bugs in the application.
- LaunchDarkly is used for rolling out and managing all feature flags in Arc.
- Segment is used for collecting anonymized telemetry data to assist our development teams in making application improvements. No PII is ever shared with the Browser Company of New York. Please see the list of what we do NOT log above.
- BigQuery is used for collecting anonymized product usage data to understand feature usage and improve our product. This data NEVER includes the websites you visit, files you download, or content you create in the product.
FAQ
- Why does Arc require an account to use?
Here’s a link to our forum that explains the rationale behind requiring an account to use Arc: Why do I need an account? - Do you have a SOC2 or ISO 27001 certification?
We are not SOC2 or ISO 27001 certified currently but will look at achieving SOC2 compliance in the near future. - How will you monetize without selling user data?
That’s a great question! While we don’t have specifics to share at this time, we don’t plan to ever sell user data. For more information, please see this video from our CEO for more details. - Does Arc come with a built in ad-blocker?
Arc comes with uBlock Origin already installed but the user has full control of their browser and can uninstall it if that’s preferred. We currently don’t have a custom built ad-blocking but are looking at building further member protections into Arc in the future. Since we’re using Chromium under the hood, any ad-blockers or privacy tooling that is available in the Chrome app store works with Arc. - Can I configure multi-factor authentication (MFA) for my Arc account?
We currently do not have the option of configuring MFA for your account but that is a feature we plan to implement.