Microsoft on Thursday introduced that safety researchers can now earn as much as $40,000 in rewards for qualifying reviews detailing vulnerabilities within the .NET framework and adjoining applied sciences.
researchers, the tech large says, could earn the utmost rewards for full reviews detailing critical-severity distant code execution (RCE) or elevation of privilege (EoP) flaws in .NET and ASP.NET Core (together with Blazor and Aspire).
Researchers reporting safety bypasses could obtain rewards of as much as $30,000 for his or her findings, whereas distant denial-of-service (DoS) bugs might earn them as much as $20,000. Microsoft can pay as much as $20,000 for spoofing or tampering points, data disclosure bugs, and circumstances of insecure documentation.
The tech large additionally introduced that the scope of the bug bounty program has been expanded, now masking all supported .NET and ASP.NET variations, F# and different adjoining applied sciences, supported ASP.NET Core for .NET Framework variations, templates for .NET and ASP.NET Core, and GitHub Actions within the .NET and ASP.NET Core repositories.
Moreover, Microsoft has made adjustments to submission analysis and rewarding, with clearer severity ranges, safety impacts, and revised standards for report high quality.
As a part of the restructured .NET Bounty Program, Microsoft will calculate rewards based mostly on a vulnerability’s potential influence, in order that high-severity safety defects obtain larger payouts.
The brand new safety influence varieties are aligned to these Microsoft makes use of in different bug bounty packages, in order that researchers can higher perceive submission assessments.
Each report, Microsoft notes, can be rated ‘full’ or ‘not full’, based mostly on the presence of totally practical exploits. Researchers will obtain decrease rewards for theoretical eventualities.Commercial. Scroll to proceed studying.
Thus, ‘not full’ submissions detailing critical-severity RCE, EoP, and safety bypass bugs can be awarded as much as $20,000. Distant DoS reviews that aren’t full can be awarded as much as $15,000, whereas these for spoofing, data disclosure, and insecure documentation is not going to earn greater than $7,000.
“These updates promote transparency and encourage detailed, actionable submissions that assist enhance the safety of the .NET ecosystem,” Microsoft notes.
Associated: $1 Million Supplied for WhatsApp Exploit at Pwn2Own Eire 2025
Associated: Google Paid Out $12 Million by way of Bug Bounty Packages in 2024
Associated: Don’t Let Your Profession Go the Means of Leisure 720
Associated: Researcher Earns $30,000 for Instagram Flaw Exposing Non-public Posts
