Microsoft expands bug bounty program with .NET Core rewards

The beta programs for new services are the focus of fresh rewards for researchers.


Microsoft has expanded the company's bug bounty program to include new service builds which are due for release in the coming year.

The Redmond giant said on Tuesday that the new program will focus on .NET Core and ASP.NET Core RC2 beta builds of the new web application frameworks built from the ground up, announced in May this year.

According to Jason Shirk, the senior director of Microsoft's Security Response Center, the bounty will run from 7 June to 7 September this year, and rewards will range from $500 to $15,000, depending on the severity of the security flaw.

Researchers seeking a reward must submit a valid and previously unreported bug. Acceptable submissions include remote code execution (RCE) vulnerabilities, security design flaws, privilege escalation bugs, remote denial-of-service (DoS) weaknesses, information leaks and XSS vulnerabilities.

The limit for payments is set at $15,000, however, Microsoft may issue a higher amount if the reported bug warrants special treatment.

Microsoft Windows, Apple OS X and Linux platforms are supported.

The new bug bounty program joins Microsoft's Nano Server beta, Online Services and Mitigation bypass and Bounty for Defense programs. The Nano Server beta program was launched in May to improve the remotely administered, headless installation option of the server operating system.

"Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third-party audits," Shirk says.

RC2 can be downloaded from here.