$2000 is an absurdly small bounty here - you should up that

radicaldreamer · 2024-09-20T21:19:22 1726867162

50k or 100k would be far more appropriate given the severity of this issue. But overall, this makes me think there's probably a lot more vulnerabilities in Arc that are undiscovered/unpatched.

Also, there's the whole notion of every URL you visit being sent to Firebase -- were these logged? Awful for a browser.

ha470 · 2024-09-20T23:00:41 1726873241

Ya this is fair! Honestly this was our first bounty ever awarded and we could have been more thoughtful. We’re currently setting up a proper program and based on that rubric will adjust accordingly.

ARandomerDude · 2024-09-21T03:21:18 1726888878

> Honestly this was our first bounty ever awarded and we could have been more thoughtful

That’s corporate speak for “no, we won’t pay the researcher any more money.”

karlzt · 2024-09-21T00:51:02 1726879862

$200k for this big bug.

karlzt · 2024-09-21T18:21:24 1726942884

My comment has been downvoted twice, but I don't see it grayed out, I wonder why.