.NET Bounty Program now offers up to $40k in awards
9 months ago
- #.NET
- #Bounty
- #Security
- .NET Bounty Program now offers up to $40,000 in awards for vulnerabilities impacting .NET and ASP.NET Core.
- The program scope has expanded to include all supported versions of .NET, ASP.NET, adjacent technologies like Aspire and F#, GitHub Actions in .NET and ASP.NET Core repositories, and more.
- Vulnerabilities must be reported privately to MSRC via email or portal to qualify for the bounty; GitHub issues do not qualify.
- The awards structure has been updated with clear severity levels, aligned impact categories, and defined report quality criteria.
- Increased award amounts reflect the complexity of discovering and exploiting vulnerabilities, with maximum awards for critical remote code execution set at $40,000.
- The program encourages detailed, actionable submissions to improve the security of the .NET ecosystem.