Microsoft on Thursday announced that security researchers can now earn up to $40,000 in rewards for qualifying reports detailing vulnerabilities in the .NET framework and adjacent technologies.
Interested researchers, the tech giant says, may earn the maximum rewards for complete reports detailing critical-severity remote code execution (RCE) or elevation of privilege (EoP) flaws in .NET and ASP.NET Core (including Blazor and Aspire).
Researchers reporting security bypasses may receive rewards of up to $30,000 for their findings, while remote denial-of-service (DoS) bugs could earn them up to $20,000. Microsoft will pay up to $20,000 for spoofing or tampering issues, information disclosure bugs, and cases of insecure documentation.
The tech giant also announced that the scope of the bug bounty program has been expanded, now covering all supported .NET and ASP.NET versions, F# and other adjacent technologies, supported ASP.NET Core for .NET Framework versions, templates for .NET and ASP.NET Core, and GitHub Actions in the .NET and ASP.NET Core repositories.
Additionally, Microsoft has made changes to submission evaluation and rewarding, with clearer severity levels, security impacts, and revised criteria for report quality.
As part of the restructured .NET Bounty Program, Microsoft will calculate rewards based on a vulnerability’s potential impact, so that high-severity security defects receive higher payouts.
The new security impact types are aligned to those Microsoft uses in other bug bounty programs, so that researchers can better understand submission assessments.
Every report, Microsoft notes, will be rated ‘complete’ or ‘not complete’, based on the presence of fully functional exploits. Researchers will receive lower rewards for theoretical scenarios.
Thus, ‘not complete’ submissions detailing critical-severity RCE, EoP, and security bypass bugs will be awarded up to $20,000. Remote DoS reports that are not complete will be awarded up to $15,000, while those for spoofing, information disclosure, and insecure documentation will not earn more than $7,000.
“These updates promote transparency and encourage detailed, actionable submissions that help improve the security of the .NET ecosystem,” Microsoft notes.
Related: $1 Million Offered for WhatsApp Exploit at Pwn2Own Ireland 2025
Related: Google Paid Out $12 Million via Bug Bounty Programs in 2024
Related: Don’t Let Your Career Go the Way of Entertainment 720
Related: Researcher Earns $30,000 for Instagram Flaw Exposing Private Posts
