Microsoft Bug Bounty Extends Scope
Written by Alex Armstrong   
Tuesday, 04 October 2016

Microsoft recently added  NET Core and ASP.NET Core to its suite of ongoing bounty programs. It has also expanded its Remote Code Execution Bounty for Microsoft Edge.

  msbugbountyshield

The .NET Core and ASP.NET Core program started on September 1, 2016 with the following key points: 

  • Microsoft will pay a bounty for critical and important vulnerabilities on the latest RTM version, or supported Beta or RC releases of latest versions of Microsoft .NET Core, ASP.NET Core on both Windows and Linux

  • It includes vulnerabilities in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later and Kestrel, Microsoft’s new web server

  • The vulnerability must both be submitted on and reproduce on the latest RTM version, or on supported Beta or RC releases above the current RTM version to qualify for a bounty and the better the quality of your report, the greater will be the payment

  • Bounty payouts will range from $500 USD to $15,000 USD

A bounty for RCE (Remote Code Execution) vulnerabilities in Microsoft Edge on Windows Insider Preview builds was introduced on August 4, 2016 and runs until May 15, 2017. Initially it offered the following rewards:

RCEEdge

Vulnerabilities in open source sections of Chakra are also included in the program.

At the end of September it was extended with the MSRC Team explaining:

Since security is a continuous effort and not a destination, we prioritize acquiring different types of vulnerabilities in different points of time. Currently, we are focusing on vulnerabilities that lead to violation of W3C standards that compromise privacy and integrity of important user data, and RCEs.

As a result rewards are available for reporting Same Origin Policy (SoP) bypass vulnerabilities, for example UXSS, and referrer spoofs with proof of concept, i.e.the files and steps necessary to reliably reproduce the vulnerability.  A bounty of up to $6,000 will be paid in the case of a high quality report or up to $1,500 in the case of a low quality report.

Microsoft's highest level of reward is for Mitigation Bypass Bounty and Bounty for Defense Program, initiated in 2013. Submitting a novel mitigation bypass against the latest Windows platform can earn up to $100,000 with a further $100,000 on offer for a defense technique to block it.  The highest payout to date has been $125,000 in 2015. So far in 2016 7 payouts, ranging from $5,000 to $100,000 and totalling $245,000, have been made. 

Bounties of between $500 and $15,000 are also regularly paid as part of the Microsoft Online Services Bug Bounty program. There were 30 recipients of such bounties in the first two quarters of 2016 but while their names are listed on the Bounty Hunters Honor Roll, the amounts awarded are not supplied.

Stay turned to the Microsoft Security Response Center blog for further updates to the Microsoft Bug Bounty programs. 

msbugbountyshield

Banner


Eclipse IoT Developer Survey 2024
04/12/2024

The Eclipse Foundation’s IoT Working Group has released the results of its 2024 IoT Developer Survey. Industrial automation and automotive are now the leading industry sectors and connectivity is th [ ... ]



OpenSilver Adds XAML Designer For Visual Studio Code
12/12/2024

OpenSilver 3.1 has been released. This version adds a drag-and-drop XAML designer for Visual Studio Code (VS Code), a new modern UI theme, and expanded support for WPF features. The open-source altern [ ... ]


More News

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

 

Last Updated ( Tuesday, 04 October 2016 )