Microsoft Offers Up to $15,000 in Bounties for .NET Core, ASP.NET RC2 Beta Vulnerabilities
Microsoft this week announced an expansion to its bug bounty program to include the newly released .NET Core and ASP.NET Core RC2 Beta.
The expansion serves a simple, forward purpose: the company is getting ready for the final release of .NET Core and ASP.NET and wants to make sure that it squashes security vulnerabilities in the product before that happens. The .NET Core and ASP.NET Core RC2 Beta Build was released in mid-May and researchers can grab it from Microsoft’s website.
By adding the product to the bounty program, the technology giant is looking to receive feedback from the security research community on it, and is also willing to pay for that. In fact, the company has announced that the bounties could go for as much as $15,000. The payouts, however, are dependent on the quality and complexity of the reported vulnerability, and their lower limit has been set at $500.
Between October 2015 and January 2016, Microsoft ran a CoreCLR and ASP.NET 5 Beta bounty program, which was also focused on finding and resolving security issues in the .NET core runtime. The newly revealed bounty extension is a successor of the previous program, and the bounties are similar.
Microsoft also notes that the new program is applicable to .NET Core, ASP.NET Core RC2 and to all of the subsequent Release Candidates that will be released during the bounty period. The final RTM version is also included, provided that it is released within the bounty period, the company explains on the Microsoft Bounty Programs web page.
According to Microsoft, researchers willing to participate in the program can submit reports for vulnerabilities found in .NET Core and ASP.NET Core RC2 on Windows, OS X and Linux platforms.
“This new bounty will be in addition to our ongoing Nano Server beta, Online Services, and Mitigation bypass and Bounty for Defense bounty programs. These additions are a part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits,” Microsoft says.
Over the past year, Microsoft made various changes to its bug bounty program, starting with the introduction of double payouts for anti-exploitation techniques in August last year. This year, the company expanded the Online Services Bug Bounty to include OneDrive, and also added Nano Server to the Bug Bounty Program in early May.