Microsoft announced on Tuesday the launch of a new bug bounty program covering .NET core and ASP.NET Beta, which the company says are critical building blocks in the Visual Studio Development Suite.
The news comes less than a week after Microsoft released ASP.NET 5 Beta 8. However, the company has pointed out that the new bug bounty program will cover all betas and release candidates that become available while the bug bounty program is running, namely between October 20, 2015 and January 20, 2016.
Researchers who find vulnerabilities in the .NET core runtime, dubbed “CoreCLR,” and the technical preview of ASP.NET 5 can earn between $500 and $15,000, depending on the quality and complexity of the reported issue. Microsoft says even higher payouts are possible in some cases.
The list of eligible vulnerabilities includes remote code execution, security design flaws, privilege escalation, remote denial-of-service (DoS), tampering and spoofing, information leaks, and cross site scripting (XSS) and cross-site request forgery (CSRF) issues. All vulnerability reports must be accompanied by a proof-of-concept (PoC).
For example, the highest payout ($15,000) is offered for a remote code execution vulnerability submission that includes a functioning exploit, and a high quality report or whitepaper. An RCE flaw submission that does not include a functioning exploit and contains only a low quality report can earn the reporter up to $1,500.
Microsoft is prepared to offer up to $10,000 for security design flaws and privilege elevation issues, up to $5,000 for DoS and spoofing/tampering vulnerabilities, and up to $2,500 for information leaks. CSRF and XSS flaws can earn researchers up to $2,000.
“This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems,” the Microsoft Security Response Center team wrote in a blog post.
The bug bounty program covers CoreCLR and ASP.NET 5 running on Windows, Linux and OS X. However, Microsoft has pointed out that the networking stack on Linux and OS X will only be added to the program in later beta and RC releases, after it reaches the stability and security it currently has on Windows.
Microsoft has made significant changes to its bug bounty program over the past period. In August, the company announced double payouts for anti-exploitation techniques, and the expansion of the Online Services Bug Bounty to include Microsoft Account.
The tech giant announced at the time that for a limited period it would pay up to $30,000 for authentication vulnerabilities in its online services. Wesley Wineberg, senior security research engineer at Synack, was one of the experts who took advantage of the offer. He was awarded $24,000 for a critical authentication flaw affecting the Live.com service.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
