A guest post from Barry Dorrans, the security lead for ASP.NET
Today, with great excitement, we announce an introductory 3 month bug bounty program for .NET Core and ASP.NET, our new open source, cross platform runtime and web stack. The program encompasses the latest beta version, beta 8 and any subsequent beta or release candidates released during the program period.
We recognize that you, our customers, rely on our platforms and development tools to write your own software. The more secure we can make our frameworks the more secure your software can be. We take your trust seriously and this program is part of our investment in improving the security of our frameworks on all platforms. Starting a bounty program during our beta period allows us to address issues quickly and comprehensively. We are able to reward and recognize security researchers for their hard work and for any qualifying security bugs they report to us under the aegis of the program. This is the right thing for our customers and for the security researcher community.
The bounty includes all supported platforms .NET Core and ASP.NET runs on; Windows, Linux and OS X. However with the first eligible release, beta 8, we are excluding the networking stack on Linux and OS X. In later beta and RC releases, once our cross platform networking stack matches the stability and security it has on Windows, we’ll include it within the program. When this happens we’ll update the bounty terms and conditions and make a blog post on this blog. The ASP.NET web site has instructions on how to install beta 8 on Windows, Linux and OS X. Windows researchers can use Visual Studio 2015, including the free Visual Studio 2015 Community Edition, after following the instructions to update the web tooling. The source for .NET Core can be found on GitHub at https://github.com/dotnet/corefx. The source for ASP.NET v5 can be found on GitHub at https://github.com/aspnet.
We encourage you to read the program terms and FAQs before beginning your research or reporting a vulnerability. We would also like to applaud and issue a hearty and grateful thanks to everyone in the community who has reported issues in .NET and ASP.NET in the past. We look forward to rewarding you in the future as we take .NET and ASP.NET cross platform.