Microsoft now pays up to $40,000 for some .NET vulnerabilities

Microsoft has expanded its .NET bug bounty program and increased rewards to $40,000 for some .NET and ASP.NET Core vulnerabilities.

Madeline Eckert, a senior program manager for Researcher Incentives and Bounty at Microsoft, stated that these changes aim to more accurately reflect the complexity involved in discovering and exploiting .NET vulnerabilities.

“We’re excited to announce significant updates to the Microsoft .NET Bounty Program. These changes expand the program’s scope, simplify the award structure, and offer great incentives for security researchers,” said Eckert.

“The .NET Bounty Program now offers awards up to $40,000 USD for vulnerabilities impacting the .NET and ASP.NET Core (including Blazor and Aspire).”

Starting today, Microsoft will pay up to $40,000 for critical remote code execution and privilege escalation security flaws, as well as $30,000 for critical security feature bypasses, and up to $20,000 for critical remote denial-of-service bugs.

The .NET bug bounty program has also expanded to better cover .NET framework vulnerabilities, and it now includes:

• All supported versions of .NET and ASP.NET,
• Adjacent technologies such as F#,
• Supported versions of ASP.NET Core for .NET Framework,
• Templates provided with supported versions of .NET and ASP.NET Core,
• GitHub Actions in the .NET and ASP.NET Core repositories.

​Earlier this year, Microsoft raised bounty awards to $30,000 for AI vulnerabilities found in Power Platform and Dynamics 365 services and products.

In February, it announced increased payouts for moderate-severity Microsoft Copilot (AI) security flaws and a 100% award multiplier for all Copilot bounty awards to incentivize AI research.

During last year’s Ignite annual conference, Microsoft also launched the Zero Day Quest, a hacking event focusing on cloud and AI products and platforms, and offering $4 million in rewards.

These efforts are part of the company’s Secure Future Initiative (SFI), a company-wide cybersecurity engineering plan launched in November 2023, following a scathing report issued by the Department of Homeland Security’s Cyber Safety Review Board, which stated that Microsoft’s “security culture was inadequate and requires an overhaul.”