New Microsoft Bug Bounty

Microsoft has fired up a new bug bounty for .NET Core and ASP.NET Core.

Redmond's willing to hand over $500 to $15,000, depending on the severity of bugs you find in:

  • The latest RTM version, or supported Beta or RC releases of latest versions of Microsoft .NET Core, ASP.NET Core;
  • Vulnerabilities in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later;
  • Kestrel, Microsoft’s web server.

The bounty kicked off on September 1, 2016 and will “run indefinitely (ending at Microsoft’s discretion).”

The program replaces a similar effort that targeted RC2 of .NET Core and ASP.NET Core.

Microsoft now has six Bug Bounty programs in action. Those for online services in Azure and Office 365 are open-ended, as is the program for “Defensive Ideas” and mitigation bypasses. Another for Microsoft Edge RCE on Windows Insider Preview Bug Bounty expires in May 2017. Microsoft's bug bounties are listed here. ®


Biting the hand that feeds IT © 1998–2017