Microsoft Launches Bug Bounty for .NET Core, ASP.NET Core

Microsoft announced a bug bounty program for developers to find bugs in its .NET Core and ASP.NET Core runtime and web stack.

Microsoft logo

Microsoft announced it is offering a bug bounty for .NET Core and ASP.NET Core, the company's open-source cross-platform runtime and web stack.

The bounty includes both the Windows and Linux versions of .NET Core and ASP.NET Core, and includes Kestrel, Microsoft's new web server. It covers the current release version and the latest supported beta, or release candidate, of any future versions.

"Nothing makes me happier than being able to reward and recognize security researchers for their hard work in discovering and reporting these bugs and I look forward to continuing working with and compensating researchers for their efforts," said Barry Dorrans, a .NET security analyst at Microsoft, in a blog post on the bounty. "The entire team recognizes the value of bug bounties and we view them as having two great values, it's both the right thing to do for our customers and the right thing to do for the security researcher community."

A post by the Microsoft Security Response Center (MSRC) team says Microsoft will pay a bounty for critical and important vulnerabilities on the latest release to manufacturing (RTM) versions, or supported beta or RC releases of the latest versions, of Microsoft .NET Core and ASP.NET Core. It includes vulnerabilities in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later.

The bounty began on Sept. 1 and will run indefinitely, with payouts ranging from $500 to $15,000.

Dorrans said during the bounty periods for Release Candidates 1 and 2 of these platforms, Microsoft "received quite a few interesting, intriguing and even puzzling bugs" that the company addressed. In fact, the RC 1 bounty included one report that prompted an entire rewrite of a feature to make it easier for developers to use it, Dorrans said.

Microsoft shipped .NET Core and ASP.NET Core on June 27. .NET Core is a cross-platform implementation of .NET that runs on Windows, with ports for Linux, OS X and FreeBSD.

Last month, Coding Dojo, a software development training firm and coding bootcamp pioneer, announced it would be providing training on .NET Core.

On Aug. 18, Coding Dojo announced an expansion of its roster of full-stack training programs with an ASP.NET Core class created in collaboration with Microsoft. With its portfolio of classes, Coding Dojo will provide training on the full .NET Core stack. In addition, the bootcamp company is working with Microsoft on supplemental courses.

As evidenced by Microsoft's Aug. 18 move to open-source its PowerShell automation platform and scripting language, the company is serious about enabling open-source software on its platforms and empowering open-source developers. Initially available only for Windows, PowerShell is now live on GitHub and is available on Windows, Linux and macOS. It consists of a command-line shell and associated scripting language built on the .NET Framework.

Like PowerShell, which is built on .NET, .NET itself was originally designed for Windows only. However, the open-source .NET Core platform is aimed at the broader developer community, including cloud and mobile developers building Android and iOS applications—which creates a major opportunity for training, said Kevin Saito, vice president of product management and marketing at Coding Dojo.

"Now that .NET can run on anything from a Raspberry Pi to a giant cloud-based application that is relied upon by millions of customers, developers have a whole new world of possibilities available to them," said Martin Woodward, executive director of the .NET Foundation, in a statement. "Training courses like Coding Dojo's are an essential part of introducing developers to the amazing open-source.NET community."