Microsoft .NET Bounty | MSRC (original) (raw)

PROGRAM DESCRIPTION

.NET, ASP.NET, .NET Core, and ASP.NET Core are developer platforms for building different applications. The .NET Bounty Program invites researchers to identify vulnerabilities in.NET, ASP.NET, .NET Core, and ASP.NET Core and share them with our team. Qualified submissions are eligible for bounty awards from $1,250 to $40,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.

IN SCOPE PRODUCTS AND SERVICES

Vulnerabilities submitted in the following products and services are eligible under this bounty program:

• Current, supported*, versions of Microsoft .NET and ASP.NET Core.
• The latest version of ASP.NET Core 2.X, if running on .NET Framework.
• Release candidates for upcoming versions of .NET.
• .NET and ASP.NET-Core templates provided with the current, supported versions* of .NET and ASP.NET.
• Any associated GitHub Actions in the associated .NET or ASP.NET Core GitHub repositories.
• Any associated documentation on docs.microsoft.com or learn.microsoft.com/dotnet/, and samples contained within such documentation for current, supported* versions of .NET andASP.NET Core.
• Any Preview Features listed in this GitHub page, whether in current supported versions or an upcoming version.
  *more information on the supported versions can be found here.

ELIGIBLE SUBMISSIONS

The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.

In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:

• Such vulnerability be Critical or Important severity reproduce in one of the in-scope products or services

We request researchers include the following information to help us quickly assess their submission:

• Submit through the MSRC Researcher Portal

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

GETTING STARTED

Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability.

To get started, you can install .NET and .NET Core. The source is available from Github. Follow the .NET Blog to learn about the latest features and releases.

BOUNTY AWARDS?

Bounty awards range from 1,250upto1,250 up to 1,250upto40,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix.