Microsoft has expanded its .NET bug bounty program and elevated rewards to $40,000 for some .NET and ASP.NET Core vulnerabilities.
Madeline Eckert, a senior program supervisor for Researcher Incentives and Bounty at Microsoft, acknowledged that these adjustments goal to extra precisely mirror the complexity concerned in discovering and exploiting .NET vulnerabilities.
“We’re excited to announce important updates to the Microsoft .NET Bounty Program. These adjustments increase this system’s scope, simplify the award construction, and supply nice incentives for security researchers,” stated Eckert.
“The .NET Bounty Program now affords awards as much as $40,000 USD for vulnerabilities impacting the .NET and ASP.NET Core (together with Blazor and Aspire).”
Beginning at present, Microsoft pays as much as $40,000 for vital distant code execution and privilege escalation security flaws, in addition to $30,000 for vital security function bypasses, and as much as $20,000 for vital distant denial-of-service bugs.
The .NET bug bounty program has additionally expanded to raised cowl .NET framework vulnerabilities, and it now consists of:
- All supported variations of .NET and ASP.NET,
- Adjoining applied sciences resembling F#,
- Supported variations of ASP.NET Core for .NET Framework,
- Templates supplied with supported variations of .NET and ASP.NET Core,
- GitHub Actions within the .NET and ASP.NET Core repositories.
Earlier this yr, Microsoft raised bounty awards to $30,000 for AI vulnerabilities present in Energy Platform and Dynamics 365 providers and merchandise.
In February, it introduced elevated payouts for moderate-severity Microsoft Copilot (AI) security flaws and a 100% award multiplier for all Copilot bounty awards to incentivize AI analysis.
Throughout final yr’s Ignite annual convention, Microsoft additionally launched the Zero Day Quest, a hacking occasion specializing in cloud and AI merchandise and platforms, and providing $4 million in rewards.
These efforts are a part of the corporate’s Safe Future Initiative (SFI), a company-wide cybersecurity engineering plan launched in November 2023, following a scathing report issued by the Division of Homeland Safety’s Cyber Security Overview Board, which acknowledged that Microsoft’s “security tradition was insufficient and requires an overhaul.”
Comprise rising threats in actual time – earlier than they influence your enterprise.
Learn the way cloud detection and response (CDR) provides security groups the sting they want on this sensible, no-nonsense information.
