Microsoft Bug Bounty Extends Scope
Written by Alex Armstrong   
Tuesday, 04 October 2016

Microsoft recently added  NET Core and ASP.NET Core to its suite of ongoing bounty programs. It has also expanded its Remote Code Execution Bounty for Microsoft Edge.


The .NET Core and ASP.NET Core program started on September 1, 2016 with the following key points: 

  • Microsoft will pay a bounty for critical and important vulnerabilities on the latest RTM version, or supported Beta or RC releases of latest versions of Microsoft .NET Core, ASP.NET Core on both Windows and Linux

  • It includes vulnerabilities in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later and Kestrel, Microsoft’s new web server

  • The vulnerability must both be submitted on and reproduce on the latest RTM version, or on supported Beta or RC releases above the current RTM version to qualify for a bounty and the better the quality of your report, the greater will be the payment

  • Bounty payouts will range from $500 USD to $15,000 USD

A bounty for RCE (Remote Code Execution) vulnerabilities in Microsoft Edge on Windows Insider Preview builds was introduced on August 4, 2016 and runs until May 15, 2017. Initially it offered the following rewards:


Vulnerabilities in open source sections of Chakra are also included in the program.

At the end of September it was extended with the MSRC Team explaining:

Since security is a continuous effort and not a destination, we prioritize acquiring different types of vulnerabilities in different points of time. Currently, we are focusing on vulnerabilities that lead to violation of W3C standards that compromise privacy and integrity of important user data, and RCEs.

As a result rewards are available for reporting Same Origin Policy (SoP) bypass vulnerabilities, for example UXSS, and referrer spoofs with proof of concept, i.e.the files and steps necessary to reliably reproduce the vulnerability.  A bounty of up to $6,000 will be paid in the case of a high quality report or up to $1,500 in the case of a low quality report.

Microsoft's highest level of reward is for Mitigation Bypass Bounty and Bounty for Defense Program, initiated in 2013. Submitting a novel mitigation bypass against the latest Windows platform can earn up to $100,000 with a further $100,000 on offer for a defense technique to block it.  The highest payout to date has been $125,000 in 2015. So far in 2016 7 payouts, ranging from $5,000 to $100,000 and totalling $245,000, have been made. 

Bounties of between $500 and $15,000 are also regularly paid as part of the Microsoft Online Services Bug Bounty program. There were 30 recipients of such bounties in the first two quarters of 2016 but while their names are listed on the Bounty Hunters Honor Roll, the amounts awarded are not supplied.

Stay turned to the Microsoft Security Response Center blog for further updates to the Microsoft Bug Bounty programs. 



Dev Tunnels - An Alternative to Ngrok For .NET Users

Dev Tunnels is a new Visual Studio option that exposes your localhost to the internet the easiest way possible. But first of all, why would you allow access from the public net to your local mach [ ... ]

ZLUDA Ports CUDA Applications To AMD GPUs

ZLUDA is a translation layer that lets you run unmodified CUDA applications with near-native performance on AMD GPUs. But it is walking a fine line with regards to legality.

More News


raspberry pi books



or email your comment to:


Last Updated ( Tuesday, 04 October 2016 )