Microsoft Revamps .NET Bug Bounty Program, Offering Up to $40K for Critical Flaws
Microsoft has announced sweeping enhancements to its vulnerability rewards program for the .NET platform, significantly broadening its scope and increasing compensation for valid discoveries. Security researchers can now earn up to $40,000 for critical bugs identified in .NET and ASP.NET Core, including components such as Blazor and Aspire. The company emphasizes that the revised structure more accurately reflects the technical difficulty of uncovering and exploiting such vulnerabilities.
As explained by Madeline Eckert, Microsoft’s Senior Program Manager for Bug Bounties, the changes go beyond expanding the eligible vulnerability categories—they also introduce a streamlined reward assessment system. The new focus lies in incentivizing the discovery of complex and rare flaws, particularly those that enable remote code execution or bypass fundamental security mechanisms.
Under the updated program, the maximum reward of $40,000 is reserved for vulnerabilities that allow arbitrary code execution or privilege escalation. Discoveries of critical security bypasses can earn up to $30,000, while denial-of-service flaws exploitable remotely may bring in rewards of up to $20,000.
Microsoft has also broadened the program’s technical scope. It now encompasses all supported versions of .NET and ASP.NET, including related technologies such as F#. The bounty applies to project templates distributed with .NET and ASP.NET Core, as well as components tied to GitHub Actions in the platform’s official repositories—including ASP.NET Core versions designed for the .NET Framework.
The company has further aligned this effort with other initiatives. Earlier this year, Microsoft raised bounty payouts to $30,000 for AI-related vulnerabilities in Power Platform and Dynamics 365. In February, it introduced a double-payout multiplier for bugs in Microsoft Copilot and began rewarding even moderate-severity flaws in that domain.
At its 2024 Ignite conference, Microsoft launched the Zero Day Quest—an elite hacking competition targeting vulnerabilities in cloud and AI platforms—with a prize pool totaling $4 million.
These measures are part of Microsoft’s broader Secure Future Initiative, a far-reaching plan to redefine its approach to cybersecurity, launched in the fall of 2023. The initiative was prompted by criticism from the U.S. Department of Homeland Security’s independent Cyber Safety Review Board, which highlighted systemic shortcomings in Microsoft’s corporate security culture and urged comprehensive reform.
