Microsoft wants researchers to find bugs in .NET Core and ASP.NET, will pay
Microsoft has launched another specialized bug bounty that’s set to run until January 20th, 2016.
Bug hunters, who can earn between $500 and $15,000 depending on the complexity of the vulnerability and the quality of their report, are directed to aim their sights at the recently released .NET CoreCLR and ASP.NET 5 Beta.
“.NET and ASP.NET represent critical building blocks in the Visual Studio Development Suite,” Jason Shirk of the MSRC Team explained.
“This bounty is particularly interesting because the libraries and functions included in .NET enable developers to write their own programs with great security and stability, increasingly on many Operating Systems. This will extend to all supported platforms, initially including Linux and OS X, with some current exclusions to non-Windows platforms.”
Higher rewards than the maximum 15,000 (for remote code execution vulns that come with a PoC and a functioning exploit) are possible, but will be awarded at Microsoft’s sole discretion.
Microsoft is looking for RCE and elevation of privilege flaws, vulnerabilities in the security design, remote DoS, information leak and template CSRF or XSS flaws, and vulnerabilities that allow tampering and/or spoofing.
They are not interested in vulnerabilities in user-generated content, those requiring extensive or unlikely user actions, those that disable or do not use any built in mitigation mechanisms, server-side information disclosure bugs, low impact CSRF bugs, and Vulnerabilities in platform technologies that are not unique to CoreCLR or ASP.NET.
“The program encompasses the latest beta version, beta 8 and any subsequent beta or release candidates released during the program period,” Barry Dorrans, the security lead for ASP.NET, noted in a blog post. “Starting a bounty program during our beta period allows us to address issues quickly and comprehensively.”
“The bounty includes all supported platforms .NET Core and ASP.NET runs on; Windows, Linux and OS X. However with the first eligible release, beta 8, we are excluding the networking stack on Linux and OS X. In later beta and RC releases, once our cross platform networking stack matches the stability and security it has on Windows, we’ll include it within the program,” he explained.
More details about the bounty program, as well as a precise table defining rewards for different bugs, can be found here.