News

Securing ASP.NET: Find a Flaw, Get $15K

Microsoft's ASP.NET team is willing to pay $15,000 to developers who discover specific security gaps in .NET Core and ASP.NET.

Microsoft's ASP.NET team is turning to developers to help them to seek out and plug up security gaps in .NET Core and ASP.NET as the beta versions of those solutions are developed over the next three months. The bug bounty program starts October 20, and it "encompasses the latest beta version, beta 8 and any subsequent beta or release candidates released during the program period," according to ASP.NET security lead Barry Dorrans, in a blog post. For specific bugs, Microsoft will pay $500 up to $15,000.

The bug bounty program applies currently to flaws discovered within the beta 8 versions of .NET Core and ASP.NET running on Windows platform. At some point, those versions running on Linux and OS X will be included "once our cross platform networking stack matches the stability and security it has on Windows," notes Dorrans.

Developers who discover bugs do have to meet some criteria in order to obtain a payout. The vulnerability has to be original and a flaw that hasn't shown up in any vulnerability reports, and the flaw has to be well documented so that Microsoft's security researchers can reproduce the flaw as a proof of concept.

Template cross-site request forgery and cross-site scripting vulnerabilities pay $500, and remote code execution flaws can pay up to $15,000. Microsoft will pay out for other flaws as well: information leaks, spoofing, remote denial of service attacks, elevation of privilege, and security design flaws. Specific payouts and steps for submitting bugs to the bounty program are available on the Program Terms page in the TechNet Security Center site.

About the Author

You Tell 'Em, Readers: If you've read this far, know that Michael Domingo, Visual Studio Magazine Editor in Chief, is here to serve you, dear readers, and wants to get you the information you so richly deserve. What news, content, topics, issues do you want to see covered in Visual Studio Magazine? He's listening at mdomingo@1105media.com.

comments powered by Disqus

Featured

  • Visual Studio Code Dev Team Cleans Up

    The Visual Studio Code development team focused on some housekeeping in the October update, closing more than 4,000 issues on GitHub, where the cross-platform, open-source editor lives.

  • ML.NET Model Builder Update Boosts Image Classification

    Microsoft announced an update to the Model Builder component of its ML.NET machine learning framework, boosting image classification and adding "try your model" functionality for predictions with sample input.

  • How to Do Naive Bayes with Numeric Data Using C#

    Dr. James McCaffrey of Microsoft Research uses a full code sample and screenshots to demonstrate how to create a naive Bayes classification system when the predictor values are numeric, using the C# language without any special code libraries.

  • Vortex

    Open Source 'Infrastructure-as-Code' SDK Adds .NET Core Support for Working with Azure

    Pulumi, known for its "Infrastructure-as-Code" cloud development tooling, has added support for .NET Core, letting .NET-centric developers use C#, F# and VB.NET to create, deploy, and manage Azure infrastructure.

  • .NET Framework Not Forgotten: Repair Tool Updated

    Even though Microsoft's development focus has shifted to the open-source, cross-platform .NET Core initiative -- with the aging, traditional, Windows-only .NET Framework relegated primarily to fixes and maintenance such as quality and reliability improvements -- the latter is still getting some other attention, as exemplified in a repair tool update.

.NET Insight

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.

Upcoming Events