Microsoft introduces Visual Studio beta bug bounty programme

[Batu69]

$15,000 on the table

MICROSOFT HAS TICKLED THE CHIN of the vulnerability-hunting community by offering maximum payments of $15,000 for flaws in the beta versions of Visual Studio tools, CoreCLR and ASP.NET 5.

Only the most critical flaws will merit the $15,000 payout. Lesser bugs will compete for bounties starting at $500, which is probably still worth getting out of bed for unless you're a super model or Larry Ellison.

There are a scale of rewards, and many multiples of $500 are available. Any wretched discovery may lead to cash, and proof-of-concepts for remote code execution could earn anywhere from $1,500 to $15,000.

There is extra cash for extra effort, although we do not know how much. The window of opportunity is only open for a short while, so researchers are advised not to sit on their hands.

Microsoft is not new to the bounty business and the Visual Studio maximum payout falls far short of the $100,000 on offer via the Bounty for Defence bug bounty payout scheme.

The CoreCLR and ASP.NET 5 bug bounty programme begins on 20 October and ends on 20 January, according to a Security TechCentre blog post.

"For the duration of the programme, individuals across the globe have the opportunity to submit vulnerabilities found in the latest pre-release versions of CoreCLR and ASP.NET 5 running on Windows, Linux and Mac OS," the firm said.

"Qualified submissions are eligible for payment from a minimum of $500 to $15,000, and bounties will be paid out at Microsoft's discretion based on the quality and complexity of the vulnerability. Microsoft may pay more than $15,000 depending on the entry quality and complexity."

Cash will not be made available to anyone who brings tried and tested exploits to Microsoft, as the firm wants to hear only about new and undisclosed problems. This makes some sense, as Microsoft is presumably already well aware of its current difficulties. Or at least we hope that it is.

Source