Microsoft bug bounty program adds .NET Core and ASP.NET Core

Microsoft has expanded its bug bounty programs to cover the open-source .NET Core and ASP.NET Core application development platforms.

The .NET Core and ASP.NET Core technologies are used to create server applications that can run on Windows, Linux, and Mac. The ability to write code once and have it run on multiple platforms have made these technologies popular with enterprise software developers.

Microsoft will pay monetary rewards between US$500 and $15,000 for critical vulnerabilities in the RTM (release to manufacturing), Beta, or RC (release candidate) releases of these platforms.

Flaws in Microsoft’s cross-platform Kestrel web server are also covered by the new bug bounty program, as well as vulnerabilities in the default ASP.NET Core templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015 or later.

The supported platforms are the Windows and Linux versions of .NET Core and ASP.NET Core, and higher quality reports will be rewarded with a higher bounty, Microsoft said in a blog post.

The company has ongoing bug bounty programs for Office 365, Azure, and Microsoft Edge. It also rewards researchers for finding novel exploitation techniques against the protections built into Windows, as well as for defensive ideas that can lead to new exploit mitigations.

By expanding the vulnerability rewards program to software development tools, Microsoft will draw attention to their security and indirectly benefit companies who use these technologies for their custom applications.

According to the latest State of Software Security report from application security vendor Veracode, .NET is the second most popular programming language in the enterprise space after Java. Moreover, while Java’s popularity has been on the decline for the last few years, the adoption rate for .NET has steadily increased, according to Veracode’s data.