Announcing a new .NET and ASP.NET Core Bug Bounty

Now that you’re all updated to RC2 I am pleased to announce a further 3 month bug bounty program for .NET Core and ASP.NET Core, our cross platform runtime and web stack. The program encompasses the RC2 and, should its release fall within the 3 months programme period, the RTM version. The bounty will run from 7th June 2016 till 7th September 2016.

During the RC1 bug bounty we received quite a few interesting bugs which we’d addressed, including one which prompted an entire rewrite of a feature to make it easier for developers to use successfully. It’s been a great source of pleasure for me to to reward and recognize security researchers for their hard work in discovering and reporting these bugs and I look forward to doing the same for any qualifying security bugs that follow in the next 3 months. As before we consider bug bounties a win-win, as it is both is the right thing for our customers and for the security researcher community.

The bounty includes both the Windows and Linux versions of .NET Core and ASP.NET Core, and includes Kestrel, our new web server.

https://dot.net/ has instructions on how to install RC2 on Windows, Linux and OS X. Windows researchers can use Visual Studio 2015, including the free Visual Studio 2015 Community Edition. The source for .NET Core can be found on GitHub at https://github.com/dotnet/corefx. The source for ASP.NET Core can be found on GitHub at https://github.com/aspnet.

We encourage you to read the program terms and FAQs before beginning your research or reporting a vulnerability. We would also like to applaud and issue a hearty and grateful thanks to everyone in the community who has reported issues in .NET and ASP.NET in the past. We look forward to rewarding you in the future as we take .NET and ASP.NET cross platform.

Further information on all Microsoft Bug Bounty programs can be found at https://aka.ms/BugBounty and in the associated terms and FAQs.