Microsoft has just announced an extension of its bug bounty program that brings payments of up to $15,000 (€12,500) to hackers who manage to break into .NET Core and ASP.NET Core RC2 Beta Build.
Microsoft says that all bounties will be eligible for NET Core, ASP.NET Core RC2, and any subsequent release candidates, including the RTM version if it’s released by the time the program ends. Bug reports can be submitted between June 7 and September 7 and can bring you back at least $500 (€450) and a maximum of $15,000 if you find one critical vulnerability.
The company adds that should any submission be considered a special entry, a bigger bounty could be offered, so it’s all up to how big the vulnerability you find actually is.
RCE flaws bring the biggest amount of money
The supported platforms are Windows, OS X, and Linux, and Microsoft explains that you can submit any type of vulnerability, including remote code execution (RCE) vulnerabilities, security design flaws, privilege escalation bugs, remote denial-of-service (DoS) weaknesses, information leaks and XSS.
“This new bounty will be in addition to our ongoing Nano Server beta, Online Services, and Mitigation bypass and Bounty for Defense bounty programs. These additions are a part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits,” it explains in a TechNet.
Remote Code Execution flaws are paid the best, but for the $15,000 bounty, you also need to provide a functional exploit and attach a whitepaper to detail the bug.
Just like for the other bug bounty programs, the standard rules apply. Therefore, you must be at least 14 years old (or have your parents’ permission to participate in the program), be an individual researcher not working for Microsoft and having your company’s go-ahead, and live in any country that’s not currently on the US sanction list.