News

As Devs Code .NET Core, Microsoft Offers Bug Bounty

As developers churn through coding the next versions of .NET Core and other key Microsoft technologies, the company offers new bounties on bugs. Program runs to September.

As the community of developers churning through open sourced versions of the upcoming .NET Core 1.0, ASP.NET Core 1.0 and other key Microsoft technologies, there's bound to be some bugginess to the code. With that, Microsoft is offering a window of opportunity for developers to cash in on discovering bugs with a three-month bug bounty program.

There's actually a number of bug bounty programs being offered by Microsoft, including ones for those discovering bugs with Office 365 and Azure that are ongoing, but most relevant to developers are the ones for .NET Core and ASP.NET Core.

According to a new post on Microsoft's Security TechCenter, the bounty program runs from June 7 to September 7, and is worth $500 to $15,000 if developers submit a discovered vulnerability within .NET Core and ASP.NET Core R2 and other releases that are made available within the next three months.

Developers who want to get a payout for bugs must submit the bug using the Coordinated Vulnerability Disclosure guidelines, and the bug must be original, so timing is key in submissions (as other developers might be discovering the same or similar bugs).

Much of the information on submission and criteria and qualification of bug submissions is on the Program Terms page here. In a nutshell, any submitted vulnerability has to be original and a flaw that hasn't shown up in any vulnerability reports, and the flaw has to be well documented so that Microsoft's security researchers can reproduce the flaw as a proof of concept. Examples of qualified submissions are "bypasses of CSRF protection, Encoding, Data Protection failures, Information disclosures to a client, Authentication bypasses and Remote Code Execution," notes the Program Terms, and must come with exacting steps for reproducing the flaw.

Specific payouts and steps for submitting bugs to the bounty program are available on the Program Terms page in the TechNet Security Center site.

About the Author

Michael Domingo is a long-time software publishing veteran, having started up and managed several developer publications for the Clipper compiler, Microsoft Access, and Visual Basic. He's also managed IT pubs for 1105 Media, including Microsoft Certified Professional Magazine and Virtualization Review before landing his current gig as Visual Studio Magazine Editor in Chief. Besides his publishing life, he's a professional photographer, whose work can be found by Googling domingophoto.

comments powered by Disqus

Featured

  • How to Do Naive Bayes with Numeric Data Using C#

    Dr. James McCaffrey of Microsoft Research uses a full code sample and screenshots to demonstrate how to create a naive Bayes classification system when the predictor values are numeric, using the C# language without any special code libraries.

  • Vortex

    Open Source 'Infrastructure-as-Code' SDK Adds .NET Core Support for Working with Azure

    Pulumi, known for its "Infrastructure-as-Code" cloud development tooling, has added support for .NET Core, letting .NET-centric developers use C#, F# and VB.NET to create, deploy, and manage Azure infrastructure.

  • .NET Framework Not Forgotten: Repair Tool Updated

    Even though Microsoft's development focus has shifted to the open-source, cross-platform .NET Core initiative -- with the aging, traditional, Windows-only .NET Framework relegated primarily to fixes and maintenance such as quality and reliability improvements -- the latter is still getting some other attention, as exemplified in a repair tool update.

  • How to Work with C# Vectors and Matrices for Machine Learning

    Here's a hands-on tutorial from bona-fide data scientist Dr. James McCaffrey of Microsoft Research to get you up to speed with machine learning development using C#, complete with code listings and graphics.

  • Sign

    Working with Claims to Authorize Users in ASP.NET Core and Blazor

    When you need to integrate authorizing the user to perform some activity (or just want to retrieve information about the current user), you need to work with the ClaimsPrincipal’s Claims objects. Here’s everything you might want to do.

.NET Insight

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.

Upcoming Events