Microsoft Bug Bounty Extends Scope
Written by Alex Armstrong   
Tuesday, 04 October 2016

Microsoft recently added  NET Core and ASP.NET Core to its suite of ongoing bounty programs. It has also expanded its Remote Code Execution Bounty for Microsoft Edge.


The .NET Core and ASP.NET Core program started on September 1, 2016 with the following key points: 

  • Microsoft will pay a bounty for critical and important vulnerabilities on the latest RTM version, or supported Beta or RC releases of latest versions of Microsoft .NET Core, ASP.NET Core on both Windows and Linux

  • It includes vulnerabilities in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later and Kestrel, Microsoft’s new web server

  • The vulnerability must both be submitted on and reproduce on the latest RTM version, or on supported Beta or RC releases above the current RTM version to qualify for a bounty and the better the quality of your report, the greater will be the payment

  • Bounty payouts will range from $500 USD to $15,000 USD

A bounty for RCE (Remote Code Execution) vulnerabilities in Microsoft Edge on Windows Insider Preview builds was introduced on August 4, 2016 and runs until May 15, 2017. Initially it offered the following rewards:


Vulnerabilities in open source sections of Chakra are also included in the program.

At the end of September it was extended with the MSRC Team explaining:

Since security is a continuous effort and not a destination, we prioritize acquiring different types of vulnerabilities in different points of time. Currently, we are focusing on vulnerabilities that lead to violation of W3C standards that compromise privacy and integrity of important user data, and RCEs.

As a result rewards are available for reporting Same Origin Policy (SoP) bypass vulnerabilities, for example UXSS, and referrer spoofs with proof of concept, i.e.the files and steps necessary to reliably reproduce the vulnerability.  A bounty of up to $6,000 will be paid in the case of a high quality report or up to $1,500 in the case of a low quality report.

Microsoft's highest level of reward is for Mitigation Bypass Bounty and Bounty for Defense Program, initiated in 2013. Submitting a novel mitigation bypass against the latest Windows platform can earn up to $100,000 with a further $100,000 on offer for a defense technique to block it.  The highest payout to date has been $125,000 in 2015. So far in 2016 7 payouts, ranging from $5,000 to $100,000 and totalling $245,000, have been made. 

Bounties of between $500 and $15,000 are also regularly paid as part of the Microsoft Online Services Bug Bounty program. There were 30 recipients of such bounties in the first two quarters of 2016 but while their names are listed on the Bounty Hunters Honor Roll, the amounts awarded are not supplied.

Stay turned to the Microsoft Security Response Center blog for further updates to the Microsoft Bug Bounty programs. 



Jakarta vs Spring - The War Goes On

In a very interesting webinar streamed live as part of the recent JConference, Antoine Sabot-Durand talked about "hostility" between J2EE/Jakarta and Spring and the differences between them from  [ ... ]

.NET 8 Preview 1 Announced

The first preview of .NET 8 has been announced, with a focus on cloud-native and cross-platform development with MAUI and Blazor.

More News






or email your comment to:


Last Updated ( Tuesday, 04 October 2016 )