Announcing the ongoing Bug Bounty for .NET Core and ASP.NET Core

Barry

September 1st, 2016

It’s with a great deal of pleasure that I can announce an on-going bug bounty for .NET Core and ASP.NET Core, our cross platform runtime and web stack.

During the RC1 and RC2 bounty periods we received quite a few interesting, intriguing and even puzzling bugs which we’ve addressed. The RC 1 bounty included one report which prompted an entire rewrite of a feature to make it easier for developers to use successfully.

Nothing makes me happier than being able to reward and recognize security researchers for their hard work in discovering and reporting these bugs and I look forward to continuing working with and compensating researchers for their efforts. The entire team recognizes the value of bug bounties and we view them as having two great values, it’s both the right thing to do for our customers and the right thing to do for the security researcher community.

The bounty includes both the Windows and Linux versions of .NET Core and ASP.NET Core, and includes Kestrel, our new web server. It encompasses the current release version, and the latest supported beta, or release candidate of any future versions.

https://dot.net/core has instructions on how to install .NET Core on Windows, Linux and OS X. Windows researchers can use Visual Studio 2015, including the free Visual Studio 2015 Community Edition. The source for .NET Core can be found on GitHub at https://github.com/dotnet/corefx. The source for ASP.NET Core can be found on GitHub at https://github.com/aspnet.

We encourage you to read the MSRC announcement which has a link to the program terms and FAQs before beginning your research or reporting a vulnerability. We would also like to applaud and issue a hearty and grateful thanks to everyone in the community who has reported issues in .NET and ASP.NET in the past. We look forward to rewarding you in the future as we take .NET and ASP.NET cross platform.

Further information on all Microsoft Bug Bounty programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.