​Microsoft opens limited bug bounty for CoreCLR and ASP.NET 5 betas

Microsoft wants hackers and researchers to prod its .NET Core CLR runtime and ASP.NET 5 betas in Visual Studio 15 for security vulnerabilities.

The Redmond company will pay as much as $15,000 for a remote code execution bug in its cross platform runtime and web stack, so long as the researcher also provides a high quality white paper detailing the bug, a functioning exploit and proof of concept.

Over the past year Microsoft has open sourced parts of its .NET programming framework and ported it to Linux and Mac, which is all held together with .NET Core to help developers build .NET apps to run on Linux or Windows Server in the cloud.

Microsoft notes that the three month program is strictly applicable to .NET core runtime, called CoreCLR and the beta versions of ASP.NET on Windows, Linux and Mac OS X.

“Starting a bounty program during our beta period allows us to address issues quickly and comprehensively,” Barry Dorrans, the security lead for ASP.NET said in a blog announcing the bounty program.

“With first eligible release, beta 8, we are excluding the networking stack on Linux and OS X. In later beta and RC releases, once our cross platform networking stack matches the stability and security it has on Windows, we'll include it within the program,” Dorrans added.

The new program builds on other Microsoft Bounty Programs, including one for Microsoft Online services such as Office 365 and Azure, and its mitigation bypass bounty, which offers up to $100,000 to the extra crafty hacker who can bypass tools like data exploitation prevention (DEP).

As of August, Microsoft bumped up its top reward of $50,000 for a solid defence against a mitigation bypass to $100,000 with the idea to bring “defense up on par with offense”.

As for the latest .NET bounty, researchers will need to find an “unreported vulnerability in the latest beta or RC version of Microsoft CoreCLR, ASP.NET 5 and the default ASP.NET 5 templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015.”

Read more: A Quick-fire Guide to Secure Code Development

At the low end with a $500 reward, this includes bypasses of CSRF protection, as well as higher rewards for encoding and data protection failures, information disclosures to a client, authentication bypasses and remote code execution.

The bounty will runs from today to January 20, 2016.

Microsoft ran a similarly finite bug bounty for its Edge browser for Windows 10 when the software was a preview release, once again in order to nip as many bugs in the bud as possible before it reached general availability.

Read more: ​The week in security: Open season on IoT, Android as executives slammed on poor security

Join the CSO newsletter!

Error: Please check your email address.

Tags ​MicrosoftSP.NET 5 betassecurity vulnerabilitiesCoreCLRCSO AustraliaRedmond company

More about LinuxMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts