Microsoft has announced major updates to its .NET Bug Bounty Program, expanding its scope and increasing the maximum reward to $40,000 for critical vulnerabilities in .NET and ASP.NET Core.
Madeline Eckert, senior program manager for Researcher Incentives and Bounty at Microsoft, said the changes are designed to better reflect the complexity of identifying and exploiting vulnerabilities in .NET technologies. The updated program simplifies the award structure and now includes broader coverage across supported frameworks.
The new reward structure offers up to $40,000 for remote code execution and privilege escalation flaws, $30,000 for critical security feature bypasses, and up to $20,000 for remote denial-of-service vulnerabilities.
The program now includes:
- All supported versions of .NET and ASP.NET
- Related technologies like F#
- Supported ASP.NET Core versions for .NET Framework
- Official templates for .NET and ASP.NET Core
- GitHub Actions in .NET and ASP.NET Core repositories
Earlier this year, Microsoft also raised bug bounty rewards to $30,000 for AI vulnerabilities in Power Platform and Dynamics 365. In February, the company introduced higher payouts and a 100% award multiplier for moderate-severity Copilot (AI) flaws to encourage AI-focused research.
At the 2023 Ignite conference, Microsoft launched Zero Day Quest, a hacking competition centered on cloud and AI platforms, with $4 million in rewards.
These bounty initiatives fall under Microsoft’s Secure Future Initiative (SFI), a comprehensive cybersecurity overhaul introduced in November 2023. The program follows critical feedback from the U.S. Department of Homeland Security’s Cyber Safety Review Board, which had called Microsoft’s security practices inadequate and in need of significant reform.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
