Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Expands Bug Bounty Program

Microsoft Offers Up to $15,000 in Bounties for .NET Core, ASP.NET RC2 Beta Vulnerabilities

Microsoft this week announced an expansion to its bug bounty program to include the newly released .NET Core and ASP.NET Core RC2 Beta.

Microsoft Offers Up to $15,000 in Bounties for .NET Core, ASP.NET RC2 Beta Vulnerabilities

Microsoft this week announced an expansion to its bug bounty program to include the newly released .NET Core and ASP.NET Core RC2 Beta.

The expansion serves a simple, forward purpose: the company is getting ready for the final release of .NET Core and ASP.NET and wants to make sure that it squashes security vulnerabilities in the product before that happens. The .NET Core and ASP.NET Core RC2 Beta Build was released in mid-May and researchers can grab it from Microsoft’s website.

By adding the product to the bounty program, the technology giant is looking to receive feedback from the security research community on it, and is also willing to pay for that. In fact, the company has announced that the bounties could go for as much as $15,000. The payouts, however, are dependent on the quality and complexity of the reported vulnerability, and their lower limit has been set at $500.

Between October 2015 and January 2016, Microsoft ran a CoreCLR and ASP.NET 5 Beta bounty program, which was also focused on finding and resolving security issues in the .NET core runtime. The newly revealed bounty extension is a successor of the previous program, and the bounties are similar.

Microsoft also notes that the new program is applicable to .NET Core, ASP.NET Core RC2 and to all of the subsequent Release Candidates that will be released during the bounty period. The final RTM version is also included, provided that it is released within the bounty period, the company explains on the Microsoft Bounty Programs web page.

According to Microsoft, researchers willing to participate in the program can submit reports for vulnerabilities found in .NET Core and ASP.NET Core RC2 on Windows, OS X and Linux platforms.

“This new bounty will be in addition to our ongoing Nano Server beta, Online Services, and Mitigation bypass and Bounty for Defense bounty programs. These additions are a part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits,” Microsoft says.

Over the past year, Microsoft made various changes to its bug bounty program, starting with the introduction of double payouts for anti-exploitation techniques in August last year. This year, the company expanded the Online Services Bug Bounty to include OneDrive, and also added Nano Server to the Bug Bounty Program in early May.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.