Microsoft Bounty Program expanded to .NET Core and ASP.NET Core


6, 2016

Microsoft Bounty Programs

As part of Microsoft Bounty Program, Microsoft started offering direct payments in exchange for reporting certain types of vulnerabilities and exploitation techniques from last year. Back in June, they announced the expansion of the program to include .NET Core and ASP.NET Core RC2 Beta Build which was announced on May 16, 2016. Last week, they have announced that they are adding .NET Core and ASP.NET Core to their ongoing bounty programs. They are offering a bounty on the Windows and Linux versions of .NET Core and ASP.NET Core starting on September 1, 2016. The program highlights are:

  • Microsoft will pay a bounty for critical and important vulnerabilities on the latest RTM version, or supported Beta or RC releases of latest versions of Microsoft .NET Core, ASP.NET Core
  • It includes vulnerabilities in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later
  • Also included is Kestrel, Microsoft’s new web server
  • The supported platforms are Windows and Linux versions of .NET Core and ASP.NET Core
  • The vulnerability must both be submitted on and reproduce on the latest RTM version, or on supported Beta or RC releases above the current RTM version to qualify for a bounty
  • The better the quality of your report, the greater will be the payment
  • The bounty will begin on September 1, 2016 and run indefinitely (ending at Microsoft’s discretion)
  • Bounty payouts will range from $500 USD to $15,000 USD

You can install the current RTM version and subsequent betas from

Leave a Reply

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}