Announcing a Microsoft .NET Core and ASP.NET Core Bug Bounty

Discussion in 'Security Alerts' started by News, Sep 2, 2016.

  1. News

    News Extraordinary Robot
    News Feed

    Joined:
    Jun 27, 2006
    Messages:
    26,189
    Likes Received:
    20
    It’s our pleasure to announce another exciting expansion of the Microsoft Bounty Programs. Today, we will be adding .NET Core and ASP.NET Core to our suite of ongoing bounty programs. We are offering a bounty on the Windows and Linux versions of .NET Core and ASP.NET Core starting on September 1, 2016. The program highlights are:

    • Microsoft will pay a bounty for critical and important vulnerabilities on the latest RTM version, or supported Beta or RC releases of latest versions of Microsoft .NET Core, ASP.NET Core
    • It includes vulnerabilities in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later
    • Also included is Kestrel, Microsoft’s new web server
    • The supported platforms are Windows and Linux versions of .NET Core and ASP.NET Core
    • The vulnerability must both be submitted on and reproduce on the latest RTM version, or on supported Beta or RC releases above the current RTM version to qualify for a bounty
    • The better the quality of your report, the greater will be the payment
    • The bounty will begin on September 1, 2016 and run indefinitely (ending at Microsoft’s discretion)
    • Bounty payouts will range from $500 USD to $15,000 USD

    You can install the current RTM version and subsequent betas from https://dot.net/This new bounty will be in addition to our currently ongoing Microsoft Edge RCE, Online Services, and Mitigation bypass and Bounty for Defense bounty programs. These additions are a part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

    As always, the most up-to-date information about the Microsoft Bounty Programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.

    Happy hacking!

    Jason Shirk and Akila Srinivasan

    Continue reading...
     

Share This Page

Loading...