Microsoft offers $40K bounties for critical .NET vulnerabilities
▼ Summary
– Microsoft increased its .NET bug bounty rewards to $40,000 for critical vulnerabilities in .NET and ASP.NET Core, including remote code execution and privilege escalation flaws.
– The updated program expands coverage to include all supported .NET versions, adjacent technologies like F#, and GitHub Actions in .NET repositories.
– Microsoft aims to better reflect the complexity of finding .NET vulnerabilities and incentivize researchers with simplified award structures.
– Earlier in 2024, Microsoft raised bounties for AI vulnerabilities in Power Platform and Copilot, including a 100% award multiplier for Copilot flaws.
– These changes are part of Microsoft’s Secure Future Initiative, launched after criticism of its security culture by the Department of Homeland Security.
Microsoft has significantly boosted its bug bounty rewards, now offering up to $40,000 for critical vulnerabilities found in .NET and ASP.NET Core frameworks. The enhanced program reflects the growing importance of securing these widely used development platforms, which power countless enterprise applications and web services.
Security researchers specializing in .NET technologies now have stronger incentives to uncover high-severity flaws. Critical remote code execution and privilege escalation vulnerabilities qualify for the maximum $40,000 payout, while security feature bypasses can earn $30,000. Remote denial-of-service bugs fall into a lower tier, with rewards capped at $20,000.
The expanded program now covers a broader range of components, including all supported versions of .NET and ASP.NET, F# programming language implementations, and GitHub Actions within Microsoft’s official repositories. Templates bundled with these frameworks are also in scope, ensuring comprehensive protection across development environments.
This move aligns with Microsoft’s broader Secure Future Initiative, a company-wide push to strengthen cybersecurity defenses. Recent months have seen similar increases in bounty payouts for AI-related vulnerabilities, including a 100% bonus for Copilot bug discoveries and $30,000 rewards for flaws in Power Platform and Dynamics 365.
The tech giant has also experimented with high-profile hacking challenges, such as last year’s Zero Day Quest, which distributed $4 million in prizes for cloud and AI security research. These efforts follow criticism from government agencies about gaps in Microsoft’s security practices, prompting a renewed focus on proactive vulnerability discovery.
By incentivizing independent researchers, Microsoft aims to identify and patch critical weaknesses before malicious actors exploit them. The revised bounty structure acknowledges the technical difficulty of finding deep-seated flaws in mature frameworks like .NET, while encouraging thorough testing of emerging technologies.
(Source: Bleeping Computer)
