Connect with us

Hi, what are you looking for?



Microsoft Launches Bug Bounty Program for .NET Core, ASP.NET Beta

Microsoft announced on Tuesday the launch of a new bug bounty program covering .NET core and ASP.NET Beta, which the company says are critical building blocks in the Visual Studio Development Suite.

Microsoft announced on Tuesday the launch of a new bug bounty program covering .NET core and ASP.NET Beta, which the company says are critical building blocks in the Visual Studio Development Suite.

The news comes less than a week after Microsoft released ASP.NET 5 Beta 8. However, the company has pointed out that the new bug bounty program will cover all betas and release candidates that become available while the bug bounty program is running, namely between October 20, 2015 and January 20, 2016.

Researchers who find vulnerabilities in the .NET core runtime, dubbed “CoreCLR,” and the technical preview of ASP.NET 5 can earn between $500 and $15,000, depending on the quality and complexity of the reported issue. Microsoft says even higher payouts are possible in some cases.

The list of eligible vulnerabilities includes remote code execution, security design flaws, privilege escalation, remote denial-of-service (DoS), tampering and spoofing, information leaks, and cross site scripting (XSS) and cross-site request forgery (CSRF) issues. All vulnerability reports must be accompanied by a proof-of-concept (PoC).

For example, the highest payout ($15,000) is offered for a remote code execution vulnerability submission that includes a functioning exploit, and a high quality report or whitepaper. An RCE flaw submission that does not include a functioning exploit and contains only a low quality report can earn the reporter up to $1,500.

Microsoft is prepared to offer up to $10,000 for security design flaws and privilege elevation issues, up to $5,000 for DoS and spoofing/tampering vulnerabilities, and up to $2,500 for information leaks. CSRF and XSS flaws can earn researchers up to $2,000.

“This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems,” the Microsoft Security Response Center team wrote in a blog post.

Advertisement. Scroll to continue reading.

The bug bounty program covers CoreCLR and ASP.NET 5 running on Windows, Linux and OS X. However, Microsoft has pointed out that the networking stack on Linux and OS X will only be added to the program in later beta and RC releases, after it reaches the stability and security it currently has on Windows.

Microsoft has made significant changes to its bug bounty program over the past period. In August, the company announced double payouts for anti-exploitation techniques, and the expansion of the Online Services Bug Bounty to include Microsoft Account.

The tech giant announced at the time that for a limited period it would pay up to $30,000 for authentication vulnerabilities in its online services. Wesley Wineberg, senior security research engineer at Synack, was one of the experts who took advantage of the offer. He was awarded $24,000 for a critical authentication flaw affecting the service.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.