Microsoft .NET Core and ASP.NET Core Bug Bounty Program Terms

PROGRAM DESCRIPTION

We are pleased to announce an ongoing .NET Core and ASP.NET Core bug bounty program starting on September 1, 2016. For the duration of the program, we invite you to email secure@microsoft.com to submit vulnerabilities found in the latest release candidates, or RTM version of .NET Core and ASP.NET Core running on Windows, Linux and MacOS. You can install the current RTM version and subsequent betas from https://dot.net/.

Qualified submissions are eligible for payments of $500-$15,000 USD, depending on the quality and complexity of the vulnerability as determined by Microsoft. For extremely high-quality submissions we may pay more than $15,000 USD, at our sole discretion.

WHAT CONSTITUTES AN ELIGIBLE SUBMISSION?

To be eligible for payment, your submissions must meet the following criteria:

  • Your report must identify an original and previously unreported vulnerability in the latest RTM version, or supported Beta or RC releases of latest versions of Microsoft .NET Core, ASP.NET Core and the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later.
  • Vulnerability examples may include bypasses of CSRF protection, Encoding, Data Protection failures, Information disclosures to a client, Authentication bypasses and Remote Code Execution.
  • The vulnerability must both be submitted on and reproduce on the latest RTM version, on supported Beta or RC releases above the current RTM version, or the associated support documentation and samples.
  • To facilitate quick reproduction of the vulnerability, we request that you include complete and easily understood instructions to reproduce the vulnerability. As shown in the payment table below, high-quality instructions support a higher bounty payment.

Microsoft may reject any submission that it determines does not meet these criteria, at its sole discretion.

HOW ARE PAYMENT AMOUNTS SET?

  • Bounties ranging from $500 - $15,000 USD will be paid out at Microsoft’s discretion based on the quality and complexity of the vulnerability. Microsoft retains sole discretion in determining which submissions are qualified.
  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission based on the criteria mentioned above
  • If a duplicate report provides new information that was previously unknown to Microsoft, we will award a differential to the duplicate submission
  • The first external report received on an internally known issue will receive a maximum of $1,500 USD.
  • If you do not wish to receive a bounty payment for your vulnerability submission, Microsoft will gladly work with you to donate the bounty to an approved charity.

The payment range for eligible submissions will be based upon the following:

Vulnerability type Proof of concept Functioning Exploit Whitepaper / Report Quality Payout range (USD)
Remote Code Execution Required Required High Up to $15,000
Required No High Up to $6,000
Required No Low Up to $1,500
Security Design Flaw Required Required High Up to $10,000
Required Optional High Up to $5,000
Required No Low Up to $1,500
Elevation of Privilege Required Required High Up to $10,000
Required No Low Up to $5,000
Remote DoS Required Optional High Up to $5,000
Required No Low Up to $2,500
Tampering / Spoofing Required Optional High Up to $5,000
Required No Low Up to $2,500
Information Leaks Required Optional High Up to $2,500
Required No Low Up to $750
Template CSRF or XSS Required Optional High Up to $2,000
Required Optional Low Up to $500
Documentation or samples included in documentation are insecure or encourage insecurity and are not described as samples which do not take security into consideration Required Optional High Up to $1000
Required Optional Low Up to $500
      <p>*Higher payouts are possible, at Microsoft’s sole discretion, based on entry quality and complexity</p>
    </div>
    <div style="margin-top:15px;">
      <p>
        <strong>WHAT CONSTITUTES AN INELIGIBLE SUBMISSION?</strong>
      </p>
      <p>The aim of the bug bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our users and our users’ data. While we encourage any submissions that describe security vulnerabilities in ASP.NET, the following are examples of vulnerabilities that will not earn a bounty reward under this program:</p>
      <ul>
        <li>Publicly-disclosed vulnerabilities which are already known to Microsoft and the wider security community</li>
        <li>Vulnerabilities in user-generated content</li>
        <li>Vulnerabilities requiring extensive or unlikely user actions</li>
        <li>Vulnerabilities which disable or do not use any built in mitigation mechanisms</li>
        <li>Low impact CSRF bugs</li>
        <li>Server-side information disclosure</li>
        <li>Vulnerabilities in platform technologies that are not unique to .NET Core or ASP.NET Core (for example IIS, OpenSSL etc.)</li>
      </ul>
      <p>We reserve the right to reject any submission that we determine, in our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.</p>
    </div>
    <div style="margin-top:15px;">
      <p>
        <strong>.NET and ASP.NET BUG BOUNTY PROGRAM TIMELINES</strong>
      </p>
      <table class="bountyTable" style="margin:10px 10px 10px 10px;border:1px solid black;border-collapse:collapse;">
        <thead>
          <tr>
            <td style="width:135px;text-align:center;border:1px solid black;border-collapse:collapse;">
              <strong>Program Name</strong>
            </td>
            <td style="width:135px;text-align:center;border:1px solid black;border-collapse:collapse;">
              <strong>Start Date</strong>
            </td>
            <td style="width:110px;text-align:center;border:1px solid black;border-collapse:collapse;">
              <strong>Ending Date</strong>
            </td>
            <td style="width:115px;text-align:center;border:1px solid black;border-collapse:collapse;">
              <strong>Announcement Link</strong>
            </td>
          </tr>
        </thead>
        <tr style="background-color:#d9e2f3;">
          <td style="text-align:center;border:1px solid black;border-collapse:collapse;">
            <strong>CoreCLR and ASP. NET 5 Technical Preview Bounty</strong>
          </td>
          <td style="text-align:center;border:1px solid black;border-collapse:collapse;height:25px;">October 20, 2015</td>
          <td style="text-align:center;border:1px solid black;border-collapse:collapse;height:25px;">January 20, 2016</td>
          <td style="text-align:center;border:1px solid black;border-collapse:collapse;">
            <a runat="server" href="https://blogs.msdn.microsoft.com/webdev/2015/10/20/net-core-and-asp-net-launches-a-beta-bug-bounty-program/">https://blogs.msdn.microsoft.com/webdev/2015/10/20/net-core-and-asp-net-launches-a-beta-bug-bounty-program/</a>
          </td>
        </tr>
        <tr>
          <td style="text-align:center;border:1px solid black;border-collapse:collapse;">
            <strong>NET Core and ASP.NET Core RC2 Bug Bounty</strong>
          </td>
          <td style="text-align:center;border:1px solid black;border-collapse:collapse;height:25px;">June 7, 2016</td>
          <td style="text-align:center;border:1px solid black;border-collapse:collapse;height:25px;">September 7, 2016</td>
          <td style="text-align:center;border:1px solid black;border-collapse:collapse;">
            <a runat="server" href="https://blogs.msdn.microsoft.com/webdev/2016/06/07/announcing-a-new-net-and-asp-net-core-bug-bounty/">https://blogs.msdn.microsoft.com/webdev/2016/06/07/announcing-a-new-net-and-asp-net-core-bug-bounty/</a>
          </td>
        </tr>
        <tr style="background-color:#d9e2f3;">
          <td style="text-align:center;border:1px solid black;border-collapse:collapse;">
            <strong>Microsoft .NET Core and ASP.NET Core Bug Bounty</strong>
          </td>
          <td style="text-align:center;border:1px solid black;border-collapse:collapse;height:25px;">September 1, 2016</td>
          <td style="text-align:center;border:1px solid black;border-collapse:collapse;height:25px;">Ongoing</td>
          <td style="text-align:center;border:1px solid black;border-collapse:collapse;">
            <a runat="server" href="https://blogs.msdn.microsoft.com/webdev/2016/09/01/announcing-the-ongoing-bug-bounty-for-net-core-and-asp-net-core/">https://blogs.msdn.microsoft.com/webdev/2016/09/01/announcing-the-ongoing-bug-bounty-for-net-core-and-asp-net-core/</a>
          </td>
        </tr>
      </table>

    </div>
    <div style="margin-top:15px;">
      <p>
        <strong>BOUNTY PROGRAM FREQUENTLY ASKED QUESTIONS AND PROGRAM REQUIREMENTS</strong>
      </p>
      <p>It is your responsibility to comply with the <a runat="server" href="https://technet.microsoft.com/en-us/dn425055">Microsoft Bounty Program – Comprehensive Terms listed in the FAQ.</a> Please see the <a runat="server" href="https://technet.microsoft.com/en-us/dn425055">Microsoft Bounty Program FAQ to get detailed instructions on:</a></p>
      <ol>
        <li>Reporting bugs to Microsoft</li>
        <li>Microsoft’s triage and payment process</li>
        <li>Eligibility criteria for participation</li>
        <li>Bounty payment policies</li>
        <li>Your confidentiality obligations</li>
        <li>Microsoft’s privacy statement and legal notice</li>
        <li>Other questions on the various Microsoft bounty programs</li>
      </ol>
      <p>Thank you for participating in the Microsoft Bug Bounty Program!</p>
    </div>
  </div>
</td>
<td valign="top" style="width:25%;">
  <div>
    <ContentInclude Identifier="mt797755" runat="server" />
    <ContentInclude Identifier="mt797756" runat="server" />
    <div style="background-color: #eeeeee;  padding-top: 15px; padding-left: 18px;     padding-right: 18px; padding-bottom: 10px; margin-bottom: 1px; ">
      <p style="margin-bottom: 7px; color: #454545; font-size: 15px;">MSRC Blog</p>
    </div>
    <FeedViewerBasic RssUrl="https://blogs.technet.microsoft.com/msrc/feed/" IsDiscoverable="True" Layout="Featured" NumberOfItems="3" ShowDates="False" ShowAuthor="False" ItemSize="150" SortByDate="True" runat="server" ExternalGuid="ED0CDBC4-41D3-A225-7397-795C85B33FF2" />
    <div style="background-color: #eeeeee;  padding-top: 15px; padding-left: 18px;     padding-right: 18px; padding-bottom: 10px; margin-bottom: 1px; ">
      <p style="margin-bottom: 7px; color: #454545; font-size: 15px;">SRD Blog</p>
    </div>
    <FeedViewerBasic RssUrl="https://blogs.technet.microsoft.com/srd/feed/" Layout="Featured" ItemSize="150" NumberOfItems="3" SortByDate="True" ShowDates="False" ShowAuthor="False" IsDiscoverable="True" runat="server" ExternalGuid="E004634C-EE48-506D-B1F0-C87F9651380B" />
    <ContentInclude Identifier="mt797757" runat="server" />
  </div>
</td>