Announcing a Microsoft .NET Core and ASP.NET Core Bug Bounty

It’s our pleasure to announce another exciting expansion of the Microsoft Bounty Programs. Today, we will be adding .NET Core and ASP.NET Core to our suite of ongoing bounty programs. We are offering a bounty on the Windows and Linux versions of .NET Core and ASP.NET Core starting on September 1, 2016. The program highlights are:

  • Microsoft will pay a bounty for critical and important vulnerabilities on the latest RTM version, or supported Beta or RC releases of latest versions of Microsoft .NET Core, ASP.NET Core
  • It includes vulnerabilities in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later
  • Also included is Kestrel, Microsoft’s new web server
  • The supported platforms are Windows and Linux versions of .NET Core and ASP.NET Core
  • The vulnerability must both be submitted on and reproduce on the latest RTM version, or on supported Beta or RC releases above the current RTM version to qualify for a bounty
  • The better the quality of your report, the greater will be the payment
  • The bounty will begin on September 1, 2016 and run indefinitely (ending at Microsoft’s discretion)
  • Bounty payouts will range from $500 USD to $15,000 USD

You can install the current RTM version and subsequent betas from new bounty will be in addition to our currently ongoing Microsoft Edge RCE, Online Services, and Mitigation bypass and Bounty for Defense bounty programs. These additions are a part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.

As always, the most up-to-date information about the Microsoft Bounty Programs can be found at and in the associated terms and FAQs.

Happy hacking!

Jason Shirk and Akila Srinivasan