Microsoft Bug Bounty Extends Scope
Microsoft Bug Bounty Extends Scope
Written by Alex Armstrong   
Tuesday, 04 October 2016

Microsoft recently added  NET Core and ASP.NET Core to its suite of ongoing bounty programs. It has also expanded its Remote Code Execution Bounty for Microsoft Edge.

  msbugbountyshield

The .NET Core and ASP.NET Core program started on September 1, 2016 with the following key points: 

  • Microsoft will pay a bounty for critical and important vulnerabilities on the latest RTM version, or supported Beta or RC releases of latest versions of Microsoft .NET Core, ASP.NET Core on both Windows and Linux

  • It includes vulnerabilities in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later and Kestrel, Microsoft’s new web server

  • The vulnerability must both be submitted on and reproduce on the latest RTM version, or on supported Beta or RC releases above the current RTM version to qualify for a bounty and the better the quality of your report, the greater will be the payment

  • Bounty payouts will range from $500 USD to $15,000 USD

A bounty for RCE (Remote Code Execution) vulnerabilities in Microsoft Edge on Windows Insider Preview builds was introduced on August 4, 2016 and runs until May 15, 2017. Initially it offered the following rewards:

RCEEdge

Vulnerabilities in open source sections of Chakra are also included in the program.

At the end of September it was extended with the MSRC Team explaining:

Since security is a continuous effort and not a destination, we prioritize acquiring different types of vulnerabilities in different points of time. Currently, we are focusing on vulnerabilities that lead to violation of W3C standards that compromise privacy and integrity of important user data, and RCEs.

As a result rewards are available for reporting Same Origin Policy (SoP) bypass vulnerabilities, for example UXSS, and referrer spoofs with proof of concept, i.e.the files and steps necessary to reliably reproduce the vulnerability.  A bounty of up to $6,000 will be paid in the case of a high quality report or up to $1,500 in the case of a low quality report.

Microsoft's highest level of reward is for Mitigation Bypass Bounty and Bounty for Defense Program, initiated in 2013. Submitting a novel mitigation bypass against the latest Windows platform can earn up to $100,000 with a further $100,000 on offer for a defense technique to block it.  The highest payout to date has been $125,000 in 2015. So far in 2016 7 payouts, ranging from $5,000 to $100,000 and totalling $245,000, have been made. 

Bounties of between $500 and $15,000 are also regularly paid as part of the Microsoft Online Services Bug Bounty program. There were 30 recipients of such bounties in the first two quarters of 2016 but while their names are listed on the Bounty Hunters Honor Roll, the amounts awarded are not supplied.

Stay turned to the Microsoft Security Response Center blog for further updates to the Microsoft Bug Bounty programs. 

msbugbountyshield

Banner


IBM Big SQL Sandbox
19/09/2017

IBM has released a sandbox version of Big SQL for desktop use. The Sandbox comes as a single node docker image, and is designed to let you started with Big SQL and Hortonworks Data platform.



Safari Will Remove AMP Links
25/08/2017

Browsers are supposed to simply read the standard HTML and render it faithfully - but of course we know they don't. Now Apple's Safari is starting to rewrite URLs from Google's AMP cache to point to t [ ... ]


More News

 

 
 

 

blog comments powered by Disqus

 

Last Updated ( Tuesday, 04 October 2016 )
 
 
Banner

   
Banner
RSS feed of news items only
I Programmer News
Copyright © 2017 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.