Microsoft will now pay you up to $40,000 for reporting vulnerabilities in .NET

Microsoft will now award anyone up to $40,000 if they privately disclose a high-severity security issue in .NET and ASP.NET Core, along with complete documentation.

microsoft dot net — *Image credits: Microsoft*

Many companies offer bug bounty programs as they encourage people to search for and discover security vulnerabilities in software, and report them privately to the vendor so that a fix can be implemented and applied before a malicious actor exploits them. Security researchers and other members of the public are financially incentivized to do this as they are awarded monetary rewards. Now, Microsoft has announced major updates to its .NET Bounty Program.

Rewards now start from $7,000 and go up to a mouth-watering $40,000. Keep in mind that highest tier reward is only applicable to the private disclosure of a remote code execution (RCE) or Elevation of Privilege (EoP) vulnerability with complete documentation and a critical impact.

The breakdown for the various rewards tiers is as follows:

Security Impact	Report Quality	Critical	Important
Remote Code Execution	Complete	$40,000	$30,000
Remote Code Execution	Not Complete	$20,000	$20,000
Elevation of Privilege	Complete	$40,000	$10,000
Elevation of Privilege	Not Complete	$20,000	$4,000
Security Feature Bypass	Complete	$30,000	$10,000
Security Feature Bypass	Not Complete	$20,000	$4,000
Remote Denial of Service	Complete	$20,000	$10,000
Remote Denial of Service	Not Complete	$15,000	$4,000
Spoofing or Tampering	Complete	$10,000	$5,000
Spoofing or Tampering	Not Complete	$7,000	$3,000
Information Disclosure	Complete	$10,000	$5,000
Information Disclosure	Not Complete	$7,000	$3,000
Documentation or samples included in documentation are insecure or encourage insecurity and are not described as samples which do not take security into consideration	Complete	$10,000	$5,000
	Not Complete	$7,000	$3,000

It is important to note that the .NET Bounty Program primarily revolves around .NET and ASP.NET Core, including Blazor and Aspire. But new product categories now feature all supported versions of .NET and ASP.NET, ASP.NET Core for .NET Framework, the templates provided with the aforementioned, GitHub Actions in their repositories, and adjacent technologies like F#.

The updated rewards structure ensures that severity levels are clearly defined so that high-impact issues generate higher rewards, with guidelines around how a report can be considered "complete" too. You can find more information in Microsoft's dedicated blog post here.