Headline
.NET Bounty Program now offers up to $40,000 in awards
We’re excited to announce significant updates to the Microsoft .NET Bounty Program. These changes expand the program’s scope, simplify the award structure, and offer great incentives for security researchers. The .NET Bounty Program now offers awards up to $40,000 USD for vulnerabilities impacting the .NET and ASP.NET Core (including Blazor and Aspire).
We’re excited to announce significant updates to the Microsoft .NET Bounty Program. These changes expand the program’s scope, simplify the award structure, and offer great incentives for security researchers.
The .NET Bounty Program now offers awards up to $40,000 USD for vulnerabilities impacting the .NET and ASP.NET Core (including Blazor and Aspire).
Program scope expansion
The .NET Bounty Program now provides broader coverage across the .NET framework. It includes:
All supported versions of .NET and ASP.NET
Adjacent technologies such as F#
Supported versions of ASP.NET Core for .NET Framework
Templates provided with supported versions of .NET and ASP.NET Core
GitHub Actions in the .NET and ASP.NET Core repositories
These updates ensure continuous security review and protection for Microsoft customers across a wider range of technologies.
Awards structure update
The restructured .NET Bounty Program introduces several improvements to how submissions are evaluated and rewarded. The new award tables now clearly define severity levels, specify different types of security impacts, and outline revised criteria for report quality.
Clear severity levels: Awards are now based on the potential impact of a vulnerability, ensuring higher-impact issues receive greater rewards.
Aligned impact categories: Security impact types now match those used in other Microsoft bounty programs, helping researchers understand how their submissions will be assessed.
Defined report quality: Submissions are rated as either “complete” or “not complete.” Only reports that include fully functional exploits qualify as “complete.” Theoretical scenarios are still considered but receive lower awards based on practical impact.
These updates promote transparency and encourage detailed, actionable submissions that help improve the security of the .NET ecosystem.
Increased award amounts
We’ve increased the award amounts to better reflect the complexity of discovering and exploiting vulnerabilities within .NET.
Security Impact
Report Quality
Critical
Important
Remote Code Execution
Complete
$40,000
$30,000
Not Complete
$20,000
$20,000
Elevation of Privilege
Complete
$40,000
$10,000
Not Complete
$20,000
$4,000
Security Feature Bypass
Complete
$30,000
$10,000
Not Complete
$20,000
$4,000
Remote Denial of Service
Complete
$20,000
$10,000
Not Complete
$15,000
$4,000
Spoofing or Tampering
Complete
$10,000
$5,000
Not Complete
$7,000
$3,000
Information Disclosure
Complete
$10,000
$5,000
Not Complete
$7,000
$3,000
Documentation or samples included in documentation are insecure or encourage insecurity and are not described as samples which do not take security into consideration
Complete
$10,000
$5,000
Not Complete
$7,000
$3,000
Thank you to our researchers and collaborators for your continued partnership. Your contributions are essential to strengthening the security of .NET, and we look forward to your future submissions.
Cheers,
Madeline Eckert, MSRC and Barry Dorrans, .NET Security