Microsoft is stepping up its bug hunting efforts surrounding its Visual Studio development suite, adding Microsoft .NET Core and ASP.NET Core to its Bug Bounty program.
The bounties opened yesterday and will run “indefinitely,” according to Microsoft. The bounty program includes the Windows and Linux versions of .NET Core and ASP.NET Core.
Bounty payouts range from $500 to $15,000 and renews a technical preview bounty announced last year for .NET Core and ASP.NET 5 Beta that expired Jan. 20.
“During the RC1 and RC2 bounty periods we received quite a few interesting, intriguing and even puzzling bugs which we’ve addressed,” wrote Barry Dorrans, a .NET security analyst at Microsoft, in a blog post announcing the bounty program additions. “The RC 1 bounty included one report which prompted an entire rewrite of a feature to make it easier for developers to use successfully.”
Specifics for the latest bounty program include payouts for “critical and important vulnerabilities” found on the latest RTM version, or supported beta or RC releases of latest versions of Microsoft .NET Core, ASP.NET Core. The bug bounty also includes Kestrel, Microsoft’s new cross-platform web server, as well as bugs found in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later, according to Microsoft.
Microsoft announced the update to its bug bounty program on Thursday, offering technical program descriptions as well. Microsoft released .NET Core and ASP.NET Core late June. Microsoft’s .NET Core is a small optimized runtime that is the basis of ASP.NET Core, with ports for Linux, OS X and FreeBSD. ASP.NET Core is an open source web framework used by developers for building cross-platform web applications that run on Windows, Linux and the Mac.
Payouts for .NET Core and ASP.NET Core bugs top out at $15,000 for “high quality” flaws tied to remote code execution. Microsoft will pay up to $9,000 for “high quality” bugs relating to security design flaws and successful elevation of privileges. Payouts of $5,000 will go to bug bounty hunters that find remote DoS and tampering/spoofing vulnerabilities. At the base level Microsoft said template CSRF or XSS bugs will payout between $500 and $2,000.
Microsoft launched its bug bounty program in 2013, agreeing to pay good money to white hats, researchers and aspiring young hackers to find vulnerabilities in its universe of products.