​Microsoft opens limited bug bounty for CoreCLR and ASP.NET 5 betas

  • Liam Tung (CSO Online)
  • 21 October, 2015 08:40

Microsoft wants hackers and researchers to prod its .NET Core CLR runtime and ASP.NET 5 betas in Visual Studio 15 for security vulnerabilities.

The Redmond company will pay as much as $15,000 for a remote code execution bug in its cross platform runtime and web stack, so long as the researcher also provides a high quality white paper detailing the bug, a functioning exploit and proof of concept.

Over the past year Microsoft has open sourced parts of its .NET programming framework and ported it to Linux and Mac, which is all held together with .NET Core to help developers build .NET apps to run on Linux or Windows Server in the cloud.

Microsoft notes that the three month program is strictly applicable to .NET core runtime, called CoreCLR and the beta versions of ASP.NET on Windows, Linux and Mac OS X.

“Starting a bounty program during our beta period allows us to address issues quickly and comprehensively,” Barry Dorrans, the security lead for ASP.NET said in a blog announcing the bounty program.

“With first eligible release, beta 8, we are excluding the networking stack on Linux and OS X. In later beta and RC releases, once our cross platform networking stack matches the stability and security it has on Windows, we'll include it within the program,” Dorrans added.

The new program builds on other Microsoft Bounty Programs, including one for Microsoft Online services such as Office 365 and Azure, and its mitigation bypass bounty, which offers up to $100,000 to the extra crafty hacker who can bypass tools like data exploitation prevention (DEP).

As of August, Microsoft bumped up its top reward of $50,000 for a solid defence against a mitigation bypass to $100,000 with the idea to bring “defense up on par with offense”.

As for the latest .NET bounty, researchers will need to find an “unreported vulnerability in the latest beta or RC version of Microsoft CoreCLR, ASP.NET 5 and the default ASP.NET 5 templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015.”

At the low end with a $500 reward, this includes bypasses of CSRF protection, as well as higher rewards for encoding and data protection failures, information disclosures to a client, authentication bypasses and remote code execution.

The bounty will runs from today to January 20, 2016.

Microsoft ran a similarly finite bug bounty for its Edge browser for Windows 10 when the software was a preview release, once again in order to nip as many bugs in the bud as possible before it reached general availability.