Microsoft has expanded its .NET bug bounty program and elevated rewards to $40,000 for some .NET and ASP.NET Core vulnerabilities.
Madeline Eckert, a senior program supervisor for Researcher Incentives and Bounty at Microsoft, said that these adjustments purpose to extra precisely mirror the complexity concerned in discovering and exploiting .NET vulnerabilities.
“We’re excited to announce vital updates to the Microsoft .NET Bounty Program. These adjustments increase this system’s scope, simplify the award construction, and supply nice incentives for safety researchers,” mentioned Eckert.
“The .NET Bounty Program now gives awards as much as $40,000 USD for vulnerabilities impacting the .NET and ASP.NET Core (together with Blazor and Aspire).”
Beginning at the moment, Microsoft can pay as much as $40,000 for important distant code execution and privilege escalation safety flaws, in addition to $30,000 for important safety characteristic bypasses, and as much as $20,000 for important distant denial-of-service bugs.
The .NET bug bounty program has additionally expanded to higher cowl .NET framework vulnerabilities, and it now contains:
- All supported variations of .NET and ASP.NET,
- Adjoining applied sciences akin to F#,
- Supported variations of ASP.NET Core for .NET Framework,
- Templates supplied with supported variations of .NET and ASP.NET Core,
- GitHub Actions within the .NET and ASP.NET Core repositories.
Earlier this yr, Microsoft raised bounty awards to $30,000 for AI vulnerabilities present in Energy Platform and Dynamics 365 companies and merchandise.
In February, it introduced elevated payouts for moderate-severity Microsoft Copilot (AI) safety flaws and a 100% award multiplier for all Copilot bounty awards to incentivize AI analysis.
Throughout final yr’s Ignite annual convention, Microsoft additionally launched the Zero Day Quest, a hacking occasion specializing in cloud and AI merchandise and platforms, and providing $4 million in rewards.
These efforts are a part of the corporate’s Safe Future Initiative (SFI), a company-wide cybersecurity engineering plan launched in November 2023, following a scathing report issued by the Division of Homeland Safety’s Cyber Security Evaluate Board, which said that Microsoft’s “safety tradition was insufficient and requires an overhaul.”
Include rising threats in actual time – earlier than they influence your online business.
Find out how cloud detection and response (CDR) provides safety groups the sting they want on this sensible, no-nonsense information.
