Back at the start of August, Microsoft opened a bug bounty program for the Edge browser. The company has now expanded that program for users to check the .NET Core and ASP .NET Core development platforms. Like the Edge program, this bug bounty will reward users who find exploitable bugs in the .NET services.
Both .NET Core and ASP .NET CORE are open source services for server app development. They are cross-platform on Mac, Linux, and Microsoft’s own Windows. The services help developers build cross-platform applications by removing code. Only one platform app needs to be coded for its to work on other platforms.
Just like with the Edge bug bounty, Microsoft will over monetary rewards to users. The rewards will be between $500 and $15,000. To get these rewards, users need to find critical vulnerabilities in the various stages of the .NET Core and ASP .NET CORE platforms. This is across the release candidate, beta, and RTM versions.
- Microsoft will pay a bounty for critical and important vulnerabilities on the latest RTM version, or supported Beta or RC releases of latest versions of Microsoft .NET Core, ASP.NET Core
- It includes vulnerabilities in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later
- Also included is Kestrel, Microsoft’s new web server
- The supported platforms are Windows and Linux versions of .NET Core and ASP.NET Core
- The vulnerability must both be submitted on and reproduce on the latest RTM version, or on supported Beta or RC releases above the current RTM version to qualify for a bounty
- The better the quality of your report, the greater will be the payment
- The bounty will begin on September 1, 2016 and run indefinitely (ending at Microsoft’s discretion)
- Bounty payouts will range from $500 USD to $15,000 USD
It is worth noting that the bug bounty is only for Windows and Linux versions of the platforms. Users running the .NET solutions on Mac OS. The bounty is already underway and Microsoft says it will run indefinitely.
Microsoft now has a bounty program for Azure, Edge, and Office 365. The company has put an emphasis on getting high quality feedback from customers.