CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Expands Bug Bounty Program

Microsoft Offers Up to $15,000 in Bounties for .NET Core, ASP.NET RC2 Beta Vulnerabilities

Microsoft this week announced an expansion to its bug bounty program to include the newly released .NET Core and ASP.NET Core RC2 Beta.

Microsoft Offers Up to $15,000 in Bounties for .NET Core, ASP.NET RC2 Beta Vulnerabilities

Microsoft this week announced an expansion to its bug bounty program to include the newly released .NET Core and ASP.NET Core RC2 Beta.

The expansion serves a simple, forward purpose: the company is getting ready for the final release of .NET Core and ASP.NET and wants to make sure that it squashes security vulnerabilities in the product before that happens. The .NET Core and ASP.NET Core RC2 Beta Build was released in mid-May and researchers can grab it from Microsoft’s website.

By adding the product to the bounty program, the technology giant is looking to receive feedback from the security research community on it, and is also willing to pay for that. In fact, the company has announced that the bounties could go for as much as $15,000. The payouts, however, are dependent on the quality and complexity of the reported vulnerability, and their lower limit has been set at $500.

Between October 2015 and January 2016, Microsoft ran a CoreCLR and ASP.NET 5 Beta bounty program, which was also focused on finding and resolving security issues in the .NET core runtime. The newly revealed bounty extension is a successor of the previous program, and the bounties are similar.

Microsoft also notes that the new program is applicable to .NET Core, ASP.NET Core RC2 and to all of the subsequent Release Candidates that will be released during the bounty period. The final RTM version is also included, provided that it is released within the bounty period, the company explains on the Microsoft Bounty Programs web page.

According to Microsoft, researchers willing to participate in the program can submit reports for vulnerabilities found in .NET Core and ASP.NET Core RC2 on Windows, OS X and Linux platforms.

“This new bounty will be in addition to our ongoing Nano Server beta, Online Services, and Mitigation bypass and Bounty for Defense bounty programs. These additions are a part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits,” Microsoft says.

Advertisement. Scroll to continue reading.

Over the past year, Microsoft made various changes to its bug bounty program, starting with the introduction of double payouts for anti-exploitation techniques in August last year. This year, the company expanded the Online Services Bug Bounty to include OneDrive, and also added Nano Server to the Bug Bounty Program in early May.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.