.NET Bounty Program now offers up to $40,000 in awards

.NET Bounty Program now offers up to $40,000 in awards
微软更新了.NET漏洞赏金计划，扩大覆盖范围并增加最高至4万美元的奖励金额，涵盖更多技术与场景，并优化了漏洞评估与奖励标准。 2025-7-31 07:0:0 Author: msrc.microsoft.com(查看原文) 阅读量:0 收藏

We’re excited to announce significant updates to the Microsoft .NET Bounty Program. These changes expand the program’s scope, simplify the award structure, and offer great incentives for security researchers.

The .NET Bounty Program now offers awards up to $40,000 USD for vulnerabilities impacting the .NET and ASP.NET Core (including Blazor and Aspire).

Program scope expansion

The .NET Bounty Program now provides broader coverage across .NET. It includes:

All supported versions of .NET and ASP.NET
Adjacent technologies such as F#
Supported versions of ASP.NET Core for .NET Framework
Templates provided with supported versions of .NET and ASP.NET Core
GitHub Actions in the .NET and ASP.NET Core repositories

These updates ensure continuous security review and protection for Microsoft customers across a wider range of technologies.

Awards structure update

The restructured .NET Bounty Program introduces several improvements to how submissions are evaluated and rewarded. The new award tables now clearly define severity levels, specify different types of security impacts, and outline revised criteria for report quality.

Clear severity levels: Awards are now based on the potential impact of a vulnerability, ensuring higher-impact issues receive greater rewards.

Aligned impact categories: Security impact types now match those used in other Microsoft bounty programs, helping researchers understand how their submissions will be assessed.

Defined report quality: Submissions are rated as either “complete” or “not complete.” Only reports that include fully functional exploits qualify as “complete.” Theoretical scenarios are still considered but receive lower awards based on practical impact.

These updates promote transparency and encourage detailed, actionable submissions that help improve the security of the .NET ecosystem.

Increased award amounts

We’ve increased the award amounts to better reflect the complexity of discovering and exploiting vulnerabilities within .NET.

Security Impact	Report Quality	Critical	Important
Remote Code Execution	Complete	$40,000	$30,000
Remote Code Execution	Not Complete	$20,000	$20,000
Elevation of Privilege	Complete	$40,000	$10,000
Elevation of Privilege	Not Complete	$20,000	$4,000
Security Feature Bypass	Complete	$30,000	$10,000
Security Feature Bypass	Not Complete	$20,000	$4,000
Remote Denial of Service	Complete	$20,000	$10,000
Remote Denial of Service	Not Complete	$15,000	$4,000
Spoofing or Tampering	Complete	$10,000	$5,000
Spoofing or Tampering	Not Complete	$7,000	$3,000
Information Disclosure	Complete	$10,000	$5,000
Information Disclosure	Not Complete	$7,000	$3,000
Documentation or samples included in documentation are insecure or encourage insecurity and are not described as samples which do not take security into consideration	Complete	$10,000	$5,000
	Not Complete	$7,000	$3,000

Thank you to our researchers and collaborators for your continued partnership. Your contributions are essential to strengthening the security of .NET, and we look forward to your future submissions.

Cheers,

Madeline Eckert, MSRC and Barry Dorrans, .NET Security

文章来源: https://msrc.microsoft.com/blog/2025/07/net-bounty-program-now-offers-up-to-40000-in-awards/
如有侵权请联系:admin#unsafe.sh