The bounty lasts until January 20, 2016, the company says

Oct 21, 2015 08:34 GMT  ·  By

Earlier this month, Microsoft launched the .NET Core and ASP.NET Beta, and because development tools are critical for the company these days, it now rolls out the very first bug bounty program supposed to encourage developers and security researchers to look for flaws in its code.

The open-source, cross-platform runtime and web stack is currently at beta version 8, and Microsoft says that the bug bounty program, which kicked off a few hours ago, includes not only this particular release but also all the other subsequent betas or release candidates that will see daylight during the campaign.

The bug bounty program will be aimed at all platforms that are currently supported by .NET Core and ASP.NET Beta, including Windows, OS X, and Linux, and ends on January 20, 2016, so you have exactly three months to find a security flaw and get paid for it.

How much do I receive for my bugs?

As for the financial reward you’d get if you do find a security bug in the software, it’s worth knowing that payouts range from $500 to $15,000 (€440 to €13,200), depending on the type of flaw you find. Remote Code Execution vulnerabilities are the ones bringing you the biggest amount of money, so if you provide not only the Proof of Concept but also a functioning exploit, you could actually get the biggest prize.

At the opposite pole, there’s the Template CSRF or XSS bug, which only requires the PoF and brings you $500.

For the moment, submissions that concern the CoreCLR networking stack on Linux and MacOS are not accepted, but Microsoft says that it will include them in the bug bounty program anytime soon, with a public announcement to be released at a later time.

In order to participate in this program, you must be 14 or older, live in any country without US sanctions, and not work for Microsoft. The full terms of the program are available here, while the information needed to submit a bug to the company can be found here.