.png)
3 months ago
3
.NET Bounty Program now offers up to $40,000 in awards
.NET and MSRC are excited to announce a significant update to the Microsoft .NET Bounty Program. These changes expand the program’s scope, simplify the award structure, and offer great incentives for security researchers.
The .NET Bounty Program now offers awards up to $40,000 USD for vulnerabilities impacting the .NET and ASP.NET Core (including Blazor and Aspire).
For full terms please see the MSRC .NET Bug Bounty terms and conditions.
Program scope expansion
The .NET Bounty Program now provides broader coverage across .NET. It includes:
- All supported versions1 of .NET and ASP.NET
- Adjacent technologies such as Aspire and F#
- Supported versions1 of ASP.NET Core for .NET Framework
- Templates provided with supported versions1 of .NET and ASP.NET Core
- GitHub Actions in the .NET and ASP.NET Core repositories
These updates ensure continuous security review and protection for Microsoft customers across a wider range of technologies.
Reporting a Vulnerability
To potentially qualify for a bounty security issues and bugs should be reported privately to the Microsoft Security Response Center (MSRC), either by emailing [email protected] or via the portal at https://msrc.microsoft.com/. You should receive a response within 24 hours.
Security bugs and issues opened via GitHub issues do not qualify for the bug bounty program.
Awards structure update
The restructured .NET Bounty Program introduces several improvements to how submissions are evaluated and rewarded. The new award tables now clearly define severity levels, specify different types of security impacts, and outline revised criteria for report quality.
Clear severity levels: Awards are now based on the potential impact of a vulnerability, ensuring higher-impact issues receive greater rewards.
Aligned impact categories: Security impact types now match those used in other Microsoft bounty programs, helping researchers understand how their submissions will be assessed.
Defined report quality: Submissions are rated as either “complete” or “not complete.” Only reports that include fully functional exploits qualify as “complete.” Theoretical scenarios are still considered but receive lower awards based on practical impact.
These updates promote transparency and encourage detailed, actionable submissions that help improve the security of the .NET ecosystem.
Increased award amounts
We’ve increased the award amounts to better reflect the complexity of discovering and exploiting vulnerabilities within .NET.
| Remote Code Execution | Complete | $40,000 | $30,000 |
| Not Complete | $20,000 | $20,000 | |
| Elevation of Privilege | Complete | $40,000 | $10,000 |
| Not Complete | $20,000 | $4,000 | |
| Security Feature Bypass | Complete | $30,000 | $10,000 |
| Not Complete | $20,000 | $4,000 | |
| Remote Denial of Service | Complete | $20,000 | $10,000 |
| Not Complete | $15,000 | $4,000 | |
| Spoofing or Tampering | Complete | $10,000 | $5,000 |
| Not Complete | $7,000 | $3,000 | |
| Information Disclosure | Complete | $10,000 | $5,000 |
| Not Complete | $7,000 | $3,000 | |
| Documentation or samples 2 | Complete | $10,000 | $5,000 |
| Not Complete | $7,000 | $3,000 |
Thank you to our researchers and collaborators for your continued partnership. Your contributions are essential to strengthening the security of .NET, and we look forward to your future submissions.
Thanks
Madeline Eckert, MSRC and Barry Dorrans, .NET Security
-
Supported versions can be found at .NET Lifecycle ↩ ↩2 ↩3
-
Only documentation or samples included in documentation which are insecure or encourage insecurity and are not described as samples which do not take security into consideration ↩
