Search code, repositories, users, issues, pull requests...
.NET and MSRC are excited to announce a significant update to the Microsoft .NET Bounty Program. These changes expand the program’s scope, simplify the award structure, and offer great incentives for security researchers.
The .NET Bounty Program now offers awards up to $40,000 USD for vulnerabilities impacting the .NET and ASP.NET Core (including Blazor and Aspire).
To potentially qualify for a bounty security issues and bugs should be reported privately to the Microsoft Security Response Center (MSRC), either by emailing secure@microsoft.com or via the portal at https://msrc.microsoft.com/. You should receive a response within 24 hours.
The restructured .NET Bounty Program introduces several improvements to how submissions are evaluated and rewarded. The new award tables now clearly define severity levels, specify different types of security impacts, and outline revised criteria for report quality.
Clear severity levels: Awards are now based on the potential impact of a vulnerability, ensuring higher-impact issues receive greater rewards.
