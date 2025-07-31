Image credits: Microsoft

Many companies offer bug bounty programs as they encourage people to search for and discover security vulnerabilities in software, and report them privately to the vendor so that a fix can be implemented and applied before a malicious actor exploits them. Security researchers and other members of the public are financially incentivized to do this as they are awarded monetary rewards. Now, Microsoft has announced major updates to its .NET Bounty Program.

Rewards now start from $7,000 and go up to a mouth-watering $40,000. Keep in mind that highest tier reward is only applicable to the private disclosure of a remote code execution (RCE) or Elevation of Privilege (EoP) vulnerability with complete documentation and a critical impact.

The breakdown for the various rewards tiers is as follows:

Security Impact Report Quality Critical Important Remote Code Execution Complete $40,000 $30,000 Not Complete $20,000 $20,000 Elevation of Privilege Complete $40,000 $10,000 Not Complete $20,000 $4,000 Security Feature Bypass Complete $30,000 $10,000 Not Complete $20,000 $4,000 Remote Denial of Service Complete $20,000 $10,000 Not Complete $15,000 $4,000 Spoofing or Tampering Complete $10,000 $5,000 Not Complete $7,000 $3,000 Information Disclosure Complete $10,000 $5,000 Not Complete $7,000 $3,000 Documentation or samples included in documentation are insecure or encourage insecurity and are not described as samples which do not take security into consideration Complete $10,000 $5,000 Not Complete $7,000 $3,000

It is important to note that the .NET Bounty Program primarily revolves around .NET and ASP.NET Core, including Blazor and Aspire. But new product categories now feature all supported versions of .NET and ASP.NET, ASP.NET Core for .NET Framework, the templates provided with the aforementioned, GitHub Actions in their repositories, and adjacent technologies like F#.

The updated rewards structure ensures that severity levels are clearly defined so that high-impact issues generate higher rewards, with guidelines around how a report can be considered "complete" too. You can find more information in Microsoft's dedicated blog post here.