PROGRAM DESCRIPTION

On October 20, 2015, Microsoft announced a bounty program for .NET Core CLR and ASP.NET 5 Betas shipping with Visual Studio 2015. This program concluded on January 20, 2016 and on June 7, 2016, Microsoft announced the successor of the program to include the .NET Core and ASP.NET Core Beta Builds and any RTM versions released within the bounty program. Individuals across the globe have the opportunity to submit vulnerabilities found in the latest release candidates, or RTM version of .NET Core and ASP.NET Core running on Windows, Linux, and MacOS. Qualified submissions are eligible for payment from a minimum of $500 USD to $15,000 USD, and bounties will be paid out at Microsoft’s discretion based on the quality and complexity of the vulnerability. Microsoft may pay more than $15,000 USD, depending on the entry quality and complexity.

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?

Vulnerability submissions (“submissions”) provided to Microsoft must meet the following criteria to be eligible for payment:
  • Identify an original and previously unreported vulnerability in the latest RC or RTM version* of Microsoft .NET Core, ASP.NET Core and the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015, or the associated support documentation and samples.
    Examples may include bypasses of CSRF protection, Encoding, Data Protection failures, Information disclosures to a client, Authentication bypasses and Remote Code Execution.
    *your vulnerability must reproduce on the latest RC or RTM version to be eligible
  • Include concise reproducibility steps that are easily understood. (This allows submissions to be processed as quickly as possible and supports the highest payment for the type of vulnerability being reported.)
Microsoft may reject any submission, that it determines (in its sole discretion) does not meet these criteria.

HOW ARE PAYMENT AMOUNTS SET?

The payment range for eligible submissions will be based upon the following:
Whitepaper / Report Quality
Pay-out Range(USD)
Remote Code Execution
Required
Required
High
Up to $15,000
Required
No
High
Up to $6,000
Required
No
Low Up to $1,500
Security Design Flaw
Required
No
High
Up to $10,000
Required
Optional
High
Up to $5,000
Required
No
Low Up to $1,500
Elevation of Privilege
Required
Required
High Up to $10,000
Required
No
Low Up to $5,000
Remote DoS
Required
Optional
High Up to $5,000
Required
No
Low Up to $2,500
Tampering / Spoofing
Required
Optional
High Up to $5,000
Required
No
Low Up to $2,500
Information Leaks
Required
Optional
High Up to $2,500
Required
No
Low Up to $750
Template CSRF or XSS
Required
Optional
High Up to $2,000
Required
Optional
Low
$500
Documentation or samples included in documentation are insecure or encourage insecurity and are not described as samples which do not take security into consideration
Required
Optional
High
Up to $1,000
Required
Optional
Low
Up to $500

*Higher payouts are possible, at Microsoft’s sole discretion, based on entry quality and complexity.

WHAT CONSTITUTES AN INELIGIBLE SUBMISSION?

 
The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users and our users’ data. While we encourage any submissions that describe security vulnerabilities in ASP.NET, the following are examples of vulnerabilities that will not earn a bounty reward under this program:
 
  • Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community
  • Vulnerabilities in anything earlier than the current public betas of .NET Core & ASP.NET
  • Vulnerabilities in released versions of ASP.NET
  • Vulnerabilities in user-generated content
  • Vulnerabilities requiring extensive or unlikely user actions
  • Vulnerabilities which disable or do not use any built in mitigation mechanisms
  • Low impact CSRF bugs
  • Server-side information disclosure
  • Vulnerabilities in platform technologies that are not unique to .NET Core or ASP.NET (for example IIS, OpenSSL etc.)
We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.

HOW DO I PROVIDE MY SUBMISSION?

You can install .NET Core from https://www.microsoft.com/net/download and the source is available from https://github.com/dotnet and https://github.com/aspnet. Send your complete submission to Microsoft at secure@microsoft.com using the bug submission guidelines found here. We request you follow Coordinated Vulnerability Disclosure when reporting all vulnerabilities. We are not responsible for submissions that we do not receive for any reason. We will exercise reasonable efforts to clarify indecipherable or incomplete submissions.
 
If you provide us with an otherwise eligible submission, but do not follow Coordinated Vulnerability Disclosure—for example, by publishing the vulnerability when or before you submit it under this program—then Microsoft may deem your submission to be ineligible under this program. We may also disqualify you from receiving compensation under future Microsoft Bounty programs.

BOUNTY PAYMENTS:

Bounties will be paid out at Microsoft’s discretion based on the quality and complexity of the vulnerability. Microsoft retains sole discretion in determining which submissions are qualified. Microsoft retains sole discretion in determining which submissions are qualified. The minimum bounty paid for a qualified submission is $500 USD up to a maximum of $15,000 USD. There are no restrictions on the number of qualified submissions an individual submitter can provide and be paid for. If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.

LEGAL NOTICE

To get additional information on the Microsoft legal guidelines please go here.
 

Thank you for participating in the Microsoft Bug Bounty Program!

Revision History

  • ​​​​​​​October 16, 2018: Updated to include Github links to source