Microsoft Upgrades .NET Bounty Program, Offers Rewards Up to $40,000
Microsoft has announced significant enhancements to its .NET Bounty Program, introducing expanded coverage, streamlined award structures, and substantially increased financial incentives for security researchers.
The updated program now offers maximum rewards of USD 40,000 for critical vulnerabilities affecting .NET and ASP.NET Core frameworks, including Blazor and Aspire components.
These changes represent Microsoft’s continued commitment to strengthening cybersecurity across its development ecosystem while providing clearer guidelines and better compensation for the security research community.
Expanded Program Scope Enhances Security Coverage
The upgraded .NET Bounty Program significantly broadens its scope to encompass a more comprehensive range of Microsoft’s development technologies.
The program now includes all supported versions of .NET and ASP.NET, extending coverage to adjacent technologies such as F# programming language.
Additionally, the scope encompasses supported versions of ASP.NET Core for .NET Framework and templates provided with supported versions of .NET and ASP.NET Core.
GitHub Actions within the .NET and ASP.NET Core repositories are also now covered under the program, ensuring that the entire development pipeline receives continuous security scrutiny.
This expansion reflects Microsoft’s recognition that modern software development involves interconnected components and tools that require holistic security assessment.
By including adjacent technologies and development tools, the company ensures that potential vulnerabilities across the entire .NET ecosystem can be identified and addressed proactively.
The updated program introduces a more sophisticated evaluation framework that categorizes submissions based on both security impact and report quality.
Microsoft has established clear severity levels that align awards with the potential impact of discovered vulnerabilities, with a distinction between “complete” and “not complete” submissions based on whether researchers provide fully functional exploits.
| Security Impact | Report Quality | Critical | Important |
| Remote Code Execution | Complete | $40,000 | $30,000 |
| Remote Code Execution | Not Complete | $20,000 | $20,000 |
| Elevation of Privilege | Complete | $40,000 | $10,000 |
| Elevation of Privilege | Not Complete | $20,000 | $4,000 |
| Security Feature Bypass | Complete | $30,000 | $10,000 |
| Security Feature Bypass | Not Complete | $20,000 | $4,000 |
| Remote Denial of Service | Complete | $20,000 | $10,000 |
| Remote Denial of Service | Not Complete | $15,000 | $4,000 |
| Spoofing or Tampering | Complete | $10,000 | $5,000 |
| Spoofing or Tampering | Not Complete | $7,000 | $3,000 |
| Information Disclosure | Complete | $10,000 | $5,000 |
| Information Disclosure | Not Complete | $7,000 | $3,000 |
| Insecure Documentation/Samples | Complete | $10,000 | $5,000 |
| Insecure Documentation/Samples | Not Complete | $7,000 | $3,000 |
Microsoft’s enhanced bounty program demonstrates the company’s commitment to collaborative security improvement, recognizing that external researchers play a crucial role in identifying and addressing potential vulnerabilities before they can be exploited maliciously.
The structured approach encourages detailed, actionable submissions that directly contribute to improving .NET security across the development ecosystem.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
