Microsoft Launches Bug Bounty Program for .NET Core, ASP.NET Beta

Microsoft announced on Tuesday the launch of a new bug bounty program covering .NET core and ASP.NET Beta, which the company says are critical building blocks in the Visual Studio Development Suite.

The news comes less than a week after Microsoft released ASP.NET 5 Beta 8. However, the company has pointed out that the new bug bounty program will cover all betas and release candidates that become available while the bug bounty program is running, namely between October 20, 2015 and January 20, 2016.

Researchers who find vulnerabilities in the .NET core runtime, dubbed “CoreCLR,” and the technical preview of ASP.NET 5 can earn between $500 and $15,000, depending on the quality and complexity of the reported issue. Microsoft says even higher payouts are possible in some cases.

The list of eligible vulnerabilities includes remote code execution, security design flaws, privilege escalation, remote denial-of-service (DoS), tampering and spoofing, information leaks, and cross site scripting (XSS) and cross-site request forgery (CSRF) issues. All vulnerability reports must be accompanied by a proof-of-concept (PoC).

For example, the highest payout ($15,000) is offered for a remote code execution vulnerability submission that includes a functioning exploit, and a high quality report or whitepaper. An RCE flaw submission that does not include a functioning exploit and contains only a low quality report can earn the reporter up to $1,500.

Microsoft is prepared to offer up to $10,000 for security design flaws and privilege elevation issues, up to $5,000 for DoS and spoofing/tampering vulnerabilities, and up to $2,500 for information leaks. CSRF and XSS flaws can earn researchers up to $2,000.

“This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems,” the Microsoft Security Response Center team wrote in a blog post.

The bug bounty program covers CoreCLR and ASP.NET 5 running on Windows, Linux and OS X. However, Microsoft has pointed out that the networking stack on Linux and OS X will only be added to the program in later beta and RC releases, after it reaches the stability and security it currently has on Windows.

Microsoft has made significant changes to its bug bounty program over the past period. In August, the company announced double payouts for anti-exploitation techniques, and the expansion of the Online Services Bug Bounty to include Microsoft Account.

The tech giant announced at the time that for a limited period it would pay up to $30,000 for authentication vulnerabilities in its online services. Wesley Wineberg, senior security research engineer at Synack, was one of the experts who took advantage of the offer. He was awarded $24,000 for a critical authentication flaw affecting the Live.com service.