Microsoft expanded its .NET bug bounty program to extend its rewards to $40,000 for some .NET and ASP.NET core vulnerabilities.
Madeline Eckert, senior program supervisor for Microsoft Researcher Incentives and Bounty, mentioned these modifications intention to extra precisely replicate the complexities concerned in discovering and exploiting .NET vulnerabilities.
“We stay up for saying important updates to the Microsoft .NET Bounty Program. These modifications will broaden the scope of this system, simplify the award construction and supply important incentives for safety researchers,” Eckert mentioned.
“The .NET Bounty Program gives awards as much as 40,000 US {dollars} for vulnerabilities affecting .NET and ASP.NET cores (together with Blazor and Aspire).”
Beginning at present, Microsoft can pay as much as $40,000 for important distant code execution and privilege escalation safety flaws, $30,000 for important safety characteristic bypass, and $20,000 for important distant denial of service bugs.
The .NET Bug Bounty Program has been prolonged to higher cowl vulnerabilities within the .NET framework, together with:
- All supported variations of .NET and ASP.NET,
- Adjoining applied sciences comparable to F#
- Supported model of ASP.NET core for .NET framework,
- Templates supplied with supported variations of .NET and ASP.NET cores,
- GitHub actions in .NET and ASP.NET core repositories.
Earlier this 12 months, Microsoft raised the Bounty Award to $30,000 for AI vulnerabilities present in Energy Platform and Dynamics 365 companies and merchandise.
In February, we introduced a rise in funds for reasonably radical Microsoft Copilot (AI) safety flaws and a multiplier for all Copilot Bounty Awards 100% Awards to encourage AI analysis.
Eventually 12 months’s Ignite Annual Convention, Microsoft additionally launched Zero Day Quest, a hacking occasion specializing in cloud and AI merchandise and platforms, providing a $4 million reward.
These efforts are a part of the corporate’s Safe Future Initiative (SFI), a company-wide cybersecurity engineering plan launched in November 2023, following a rigorous report issued by the Division of Homeland Safety’s Cyber Security Evaluate Board, which acknowledged that Microsoft had a “insufficient safety tradition and requires overhaul.”