Microsoft expands its bug bounty program for .NET and raises the maximum reward to $40,000 for certain bugs in .NET and ASP.NET Core.
The company stated that these changes reflect the actual complexity of finding and exploiting vulnerabilities related to .NET.
“We are pleased to announce significant updates to the Microsoft .NET bounty program. The changes expand the scope, simplify the reward structure, and offer great incentives for security professionals,” writes Madeline Eckert, Senior Program Manager of Security Researcher Incentives at Microsoft. “The program now offers up to $40,000 for vulnerabilities affecting .NET and ASP.NET Core (including Blazor and Aspire).”
Thus, Microsoft now pays:
- up to $40,000 for critical remote code execution and privilege escalation bugs;
- up to $30,000 for critical security feature bypasses;
- up to $20,000 for critical remote denial of service (DoS) attacks.
The bug bounty program has also been expanded to cover more issues in the .NET Framework. It now includes:
- all supported versions of .NET and ASP.NET;
- related technologies, such as F#;
- supported versions of ASP.NET Core for .NET Framework;
- templates provided with supported versions of .NET and ASP.NET Core;
- GitHub Actions in .NET and ASP.NET Core repositories.
As part of the restructured program, Microsoft will calculate rewards for vulnerabilities based on their potential impact, so that researchers receive higher amounts for serious defects.
It is noted that each report will be classified as “complete” or “incomplete” depending on the presence of fully functional exploits. Researchers will receive smaller rewards for theoretical attack scenarios.
Thus, for “incomplete” reports describing critical RCE, privilege escalation, and bypassing security mechanisms, one can earn a reward of up to $20,000. For “incomplete” reports on remote DoS attacks, the reward goes up to $15,000, while reports on spoofing, information disclosure, and incorrect documentation will earn specialists no more than $7,000.
“These updates are designed to enhance transparency and encourage the submission of detailed and actionable proposals that help improve the security of the entire .NET ecosystem,” Microsoft concluded.
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →