Microsoft today opened a bounty for the .NET Core and ASP.NET Beta, both of which are part of the Visual Studio development suite.
The bounty will remain open through Jan. 20 and payouts will fall between $500 and $15,000 USD.
Microsoft said only bugs in the .NET core runtime [CoreCLR] and beta versions of ASP.NET are eligible.
“This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many operating systems,” wrote Jason Shirk, senior director of the Microsoft Security Response Center (MSRC) in a blog post published today. “This will extend to all supported platforms, initially including Linux and OS X, with some current exclusions to non-Windows platforms.”
Including today’s announcement, Microsoft right now has four bounties open. An online services bounty opened Sept. 23, 2014 and applies to vulnerabilities found in eligible Microsoft online services such as Office 365 and Azure services. This is an ongoing bounty as is the Mitigation Bypass Bounty and the Bounty for Defense. Microsoft will pay out up to $100,000 for the last two bounties, while the online services bounty pays up to $15,000.
Today’s .NET Core and ASP.NET beta bounties are the second Microsoft programs for individual vulnerabilities in software. Until the Online Services Bounty, Microsoft had primarily focused on paying for novel defensive techniques and exploit mitigations, opting to stay away from strictly rewarding offensive research.
Microsoft has already handed out a number of six-figure rewards in the Bounty for Defense and the Mitigation Bypass bounty to researchers who have successfully beaten exploit mitigations in Windows, including ASLR, DEP, SEHOP and more, as well as rewarding one researcher $200,000 for a new technique to defend against return-oriented programming (ROP) attacks.