Friday 15 July 2016

Microsoft extended bug bounty program to target .NET Core

Microsoft has planned to extend its bug bounty program to include the .NET core and ASP.NET Core RC2 framework. The senior director of Microsoft’s Security Response Center, Jason Shirk confirmed that the latest program will remain active from June 7 to September 7 this year. Testing will be done on the platforms – Windows, Linux and OS X.
Jason added – the bounty amount will range from $500 to $15,000 and divided based on the severity of the bug and security. Now reporting could be done only after presenting a valid and unreported bug. This means all .NET developers should submit a valid bug to qualify for the reward. The acceptable vulnerabilities are privilege escalation bugs, remote code execution (RCE) vulnerabilities, remote denial-of-service (DoS) weaknesses, security design flaws, XSS vulnerabilities and information leaks.

Not only this, if any of the reported bugs requires a special treatment, then the reward payment amount will increase from $15000. Shirk said, “Bounties will be worked alongside Security Development Lifecycle (SDL), regular penetration testing of our products and services, Security and Compliance Accreditations by third party audits and Operational Security Assurance (OSA) framework”.

Microsoft also has other bounty programs like Mitigation bypass, Microsoft's Nano Server beta, Bounty for Defense program, Online Services, and Nano Server beta.

No comments:

Post a Comment