Microsoft has expanded its .NET bug bounty program and increased rewards to $40,000 for some .NET and ASP.NET Core vulnerabilities.
Madeline Eckert, a senior program manager for Researcher Incentives and Bounty at Microsoft, stated that these changes aim to more accurately reflect the complexity involved in discovering and exploiting .NET vulnerabilities.
"We're excited to announce significant updates to the Microsoft .NET Bounty Program. These changes expand the program's scope, simplify the award structure, and offer great incentives for security researchers," said Eckert.
"The .NET Bounty Program now offers awards up to $40,000 USD for vulnerabilities impacting the .NET and ASP.NET Core (including Blazor and Aspire)."
Starting today, Microsoft will pay up to $40,000 for critical remote code execution and privilege escalation security flaws, as well as $30,000 for critical security feature bypasses, and up to $20,000 for critical remote denial-of-service bugs.
The .NET bug bounty program has also expanded to better cover .NET framework vulnerabilities, and it now includes:
All supported versions of .NET and ASP.NET,
Adjacent technologies such as F#,
Supported versions of ASP.NET Core for .NET Framework,
Templates provided with supported versions of .NET and ASP.NET Core,
... continue reading