In late October Microsoft extended it’s Bug Bounty for security vulnerabilities within it’s Core CLR (Common Language Runtime), the execution engine for .Net Core, and ASP.Net (both technologies are open source and currently in late beta testing). These technologies are used to build web applications and in the implementation of websites.
As with previous bug bounties security researchers will be rewarded financially for discovering and responsibly disclosing (defined) these flaws to Microsoft. Their submissions need to include both a functioning exploit and a high quality white-paper. The newly extended bounty program which includes the above mentioned technologies will run from the 20th of October 2015 until the 20th of January 2016.
I’m very pleased to see that Microsoft continues to extend their bug bounty program to include the fundamental frameworks used to create web apps and websites. Any successful submissions will not only benefit the researchers but all of the customers who use and will use these technologies in the future.
Bounties for Online Services, Microsoft Edge and Internet Explorer 11 Technical Preview have been paid out in the past illustrating the success of such programs which benefits everyone.
Further details of the bug programme for ASP.NET and .NET Core are available within the following links: