Microsoft Will Pay Hackers of .NET Core Up to $15,000

[Batu69]

Redmond’s bug bounty program expanded once again

   Microsoft wants to make its products more secure with help from researchers around the world

 

Microsoft has just announced an extension of its bug bounty program that brings payments of up to $15,000 (€12,500) to hackers who manage to break into .NET Core and ASP.NET Core RC2 Beta Build.

Microsoft says that all bounties will be eligible for NET Core, ASP.NET Core RC2, and any subsequent release candidates, including the RTM version if it’s released by the time the program ends. Bug reports can be submitted between June 7 and September 7 and can bring you back at least $500 (€450) and a maximum of $15,000 if you find one critical vulnerability.

The company adds that should any submission be considered a special entry, a bigger bounty could be offered, so it’s all up to how big the vulnerability you find actually is.

RCE flaws bring the biggest amount of money

The supported platforms are Windows, OS X, and Linux, and Microsoft explains that you can submit any type of vulnerability, including remote code execution (RCE) vulnerabilities, security design flaws, privilege escalation bugs, remote denial-of-service (DoS) weaknesses, information leaks and XSS.

“This new bounty will be in addition to our ongoing Nano Server beta, Online Services, and Mitigation bypass and Bounty for Defense bounty programs. These additions are a part of the rigorous security programs at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits,” it explains in a TechNet blog.

Remote Code Execution flaws are paid the best, but for the $15,000 bounty, you also need to provide a functional exploit and attach a whitepaper to detail the bug.

Just like for the other bug bounty programs, the standard rules apply. Therefore, you must be at least 14 years old (or have your parents’ permission to participate in the program), be an individual researcher not working for Microsoft and having your company’s go-ahead, and live in any country that’s not currently on the US sanction list.

Article source

[emerglines]

That's cheap if someone can make more I mean way more than that. fifty times more than that.

[Pequi]

On quarta-feira, 8 de junho de 2016 at 5:59 AM, Batu69 said:

Microsoft says that all bounties will be eligible for NET Core, ASP.NET Core RC2, and any subsequent release candidates, including the RTM version if it’s released by the time the program ends. Bug reports can be submitted between June 7 and September 7 and can bring you back at least $500 (€450) and a maximum of $15,000 if you find one critical vulnerability.

They spend more than that for a single TV ad for Win 10.

Obviously they can't be serious. Even a million US$ would be cheap for a critical vulnerability exploit.