Microsoft .NET Bounty Program
PROGRAM DESCRIPTION
.NET, ASP.NET, .NET Core, and ASP.NET Core are developer platforms for building different applications. The .NET Bounty Program invites researchers from across the globe to identify vulnerabilities in.NET, ASP.NET, .NET Core, and ASP.NET Core and share them with our team. Qualified submissions are eligible for bounty rewards from $500 to $15,000 USD.
This bounty program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions and our bounty Safe Harbor policy.
IN SCOPE PRODUCTS AND SERVICES
Vulnerabilities submitted in the following products and services are eligible under this bounty program:
- Current, supported*, RTM versions of Microsoft .NET 5 or later
- Current, supported*, RTM versions of .NET Core and ASP.NET Core
- Release candidates for upcoming versions of .NET
- .NET 5 or later templates or .NET Core templates provided with a currently supported version of Visual Studio
- Any associated documentation on docs.microsoft.com and samples contained within such documentation for current, supported*, RTM versions of .NET 5.0 or later, .NET Core, ASP.NET Core
- Any Preview Features listed in this GitHub page, whether in current supported versions or an upcoming version.
*more information on the supported versions can be found here.
ELIGIBLE SUBMISSIONS
The goal of the Microsoft Bug Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers. Vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Identify a vulnerability that was not previously reported to, or otherwise known by, Microsoft.
- Such vulnerability must reproduce in one of the in-scope products or services
- Include clear, concise, and reproducible steps, either in writing or in video format.
- Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue.
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
GETTING STARTED
To get started, you can install .NET and .NET Core.The source is available from Github. Follow the .NET Blog to learn about the latest features and releases.
BOUNTY AWARDS?
Vulnerability Type | Functioning Exploit | Report Quality | Award |
---|---|---|---|
Remote Code Execution |
Required
|
High
|
Up to $15,000
|
No
|
High
|
Up to $6,000
|
|
No
|
Low
|
Up to $1,500
|
|
Security Design Flaw |
Required
|
High
|
Up to $10,000
|
Optional
|
High
|
Up to $5,000
|
|
No
|
Low
|
Up to $1,500
|
|
Elevation of Privilege |
Required
|
High
|
Up to $10,000
|
No
|
Low
|
Up to $5,000
|
|
Remote DoS |
Optional
|
High
|
Up to $5,000
|
No
|
Low
|
Up to $2,500
|
|
Tampering / Spoofing |
Optional
|
High
|
Up to $5,000
|
No
|
Low
|
Up to $2,500
|
|
Information Leaks |
Optional
|
High
|
Up to $2,500
|
No
|
Low
|
Up to $750
|
|
Template CSRF or XSS |
Optional
|
High
|
Up to $2,000
|
Optional
|
Low
|
$500
|
|
Documentation or samples included in documentation are insecure or encourage insecurity and are not described as samples which do not take security into consideration |
Optional
|
High
|
Up to $1,000
|
Optional
|
Low
|
Up to $500
|
OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:
- Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community
- Vulnerabilities in the .NET Framework, or any ASP.NET framework running on .NET Framework (Webforms or MVC).
- Vulnerabilities in out of support versions of .NET or .NET Core.
- Vulnerabilities in versions of .NET 5 or later, .NET Core or ASP.NET Core which are daily builds, early beta releases, or are not RTM or RC versions.
- Vulnerabilities in user-generated content
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities which disable or do not use any built in mitigation mechanisms
- Low impact CSRF bugs
- Server-side information disclosure
- Vulnerabilities in platform technologies that are not unique to .NET, .NET Core or ASP.NET (for example IIS, OpenSSL etc.)
- Sub-domain takeover
We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
ADDITIONAL INFORMATION
For additional information, please see our FAQ.
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
- If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
- If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program.
- Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.
Thank you for participating in the Microsoft Bug Bounty Program!
REVISION HISTORY
- October 20, 2015: Announced the new bounty program for .NET Core CLR and ASP.NET 5 Betas shipping with Visual Studio 2015.
- January 20, 2016: Program concluded
- June 7, 2016: Announced new bounty program covering both Release, and Release Candidate (RC) versions of .NET Core and ASP.NET Core
- October 16, 2018: Updated to include Github links to source
- November 20, 2020: Updated to use new nomenclature for .NET 5 and .NET Core
- November 23, 2021: Added Preview Feature to scope