News

Microsoft Offers Up to $40,000 for .NET Vulnerabilities

HackMag490

Microsoft expands its bug bounty program for .NET and raises the maximum reward to $40,000 for certain bugs in .NET and ASP.NET Core.

The company stated that these changes reflect the actual complexity of finding and exploiting vulnerabilities related to .NET.

“We are pleased to announce significant updates to the Microsoft .NET bounty program. The changes expand the scope, simplify the reward structure, and offer great incentives for security professionals,” writes Madeline Eckert, Senior Program Manager of Security Researcher Incentives at Microsoft. “The program now offers up to $40,000 for vulnerabilities affecting .NET and ASP.NET Core (including Blazor and Aspire).”

Thus, Microsoft now pays:

  • up to $40,000 for critical remote code execution and privilege escalation bugs;
  • up to $30,000 for critical security feature bypasses;
  • up to $20,000 for critical remote denial of service (DoS) attacks.

The bug bounty program has also been expanded to cover more issues in the .NET Framework. It now includes:

  • all supported versions of .NET and ASP.NET;
  • related technologies, such as F#;
  • supported versions of ASP.NET Core for .NET Framework;
  • templates provided with supported versions of .NET and ASP.NET Core;
  • GitHub Actions in .NET and ASP.NET Core repositories.

As part of the restructured program, Microsoft will calculate rewards for vulnerabilities based on their potential impact, so that researchers receive higher amounts for serious defects.

It is noted that each report will be classified as “complete” or “incomplete” depending on the presence of fully functional exploits. Researchers will receive smaller rewards for theoretical attack scenarios.

Thus, for “incomplete” reports describing critical RCE, privilege escalation, and bypassing security mechanisms, one can earn a reward of up to $20,000. For “incomplete” reports on remote DoS attacks, the reward goes up to $15,000, while reports on spoofing, information disclosure, and incorrect documentation will earn specialists no more than $7,000.

“These updates are designed to enhance transparency and encourage the submission of detailed and actionable proposals that help improve the security of the entire .NET ecosystem,” Microsoft concluded.

it? Share:
14.02.2025 —
12,000 Kerio Control firewalls remain vulnerable to RCE
29.01.2025 —
Google to disable Sync in older Chrome versions
24.03.2025 —
Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
09.02.2025 —
Abandoned AWS S3 buckets could be used in attacks targeting supply chains
07.03.2025 —
YouTube warns of scam video featuring its CEO
18.02.2025 —
Chrome Enhanced Protection mode is now powered by AI
26.03.2025 —
Cloudflare to block all unencrypted traffic to its APIs
27.01.2025 —
YouTube plays hour-long ads to users with ad blockers
20.03.2025 —
8,000 vulnerabilities identified in WordPress ecosystem in 2024
10.04.2025 —
April updates released by Microsoft cause issues with Windows Hello
01.06.2022 —
F#ck AMSI! How to bypass Antimalware Scan Interface and infect Windows
21.02.2023 —
Herpaderping and Ghosting. Two new ways to hide processes from antiviruses
01.06.2022 —
Routing nightmare. How to pentest OSPF and EIGRP dynamic routing protocols
15.02.2022 —
EVE-NG: Building a cyberpolygon for hacking experiments
04.04.2022 —
Fastest shot. Optimizing Blind SQL injection
04.04.2023 —
Serpent pyramid. Run malware from the EDR blind spots!
09.02.2022 —
F#ck da Antivirus! How to bypass antiviruses during pentest
20.04.2023 —
Sad Guard. Identifying and exploiting vulnerability in AdGuard driver for Windows
09.02.2022 —
First contact: An introduction to credit card security
21.02.2023 —
SIGMAlarity jump. How to use Sigma rules in Timesketch