Secure research starts with responsible testing.
Microsoft .NET Bounty Program
Partner with Microsoft to strengthen our products and services by identifying and reporting security vulnerabilities that could impact our customers.
IMPORTANT: The Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions, Microsoft Bounty Legal Safe Harbor, Rules of Engagement, Coordinated Vulnerability Disclosure (CVD), Bounty Program Guidelines, and the Microsoft Bounty Program page.
PROGRAM DESCRIPTION
.NET, ASP.NET, .NET Core, and ASP.NET Core are developer platforms for building different applications. The .NET Bounty Program invites researchers to identify vulnerabilities in.NET, ASP.NET, .NET Core, and ASP.NET Core and share them with our team. Qualified submissions are eligible for bounty awards from $1,250 to $40,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.
IN SCOPE PRODUCTS AND SERVICES
Vulnerabilities submitted in the following products and services are eligible under this bounty program:
Current, supported*, versions of Microsoft .NET and ASP.NET Core.
The latest version of ASP.NET Core 2.X, if running on .NET Framework.
Release candidates for upcoming versions of .NET.
.NET and ASP.NET-Core templates provided with the current, supported versions* of .NET and ASP.NET.
Any associated GitHub Actions in the associated .NET or ASP.NET Core GitHub repositories.
Any associated documentation on docs.microsoft.com or learn.microsoft.com/dotnet/, and samples contained within such documentation for current, supported* versions of .NET andASP.NET Core.
Any Preview Features listed in this GitHub page, whether in current supported versions or an upcoming version.
*more information on the supported versions can be found here.
ELIGIBLE SUBMISSIONS
The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.
In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Such vulnerability be Critical or Important severity reproduce in one of the in-scope products or services
We request researchers include the following information to help us quickly assess their submission:
- Submit through the MSRC Researcher Portal
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
GETTING STARTED
Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability. If in doubt, please contact bounty@microsoft.com.
To get started, you can install .NET and .NET Core. The source is available from Github. Follow the .NET Blog to learn about the latest features and releases.
BOUNTY AWARDS?
Bounty awards range from $1,250 up to $40,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.
Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix; they may also earn points in our Researcher Recognition Program to receive swag and secure a place on the Microsoft Most Valuable Researcher list.
| Severity | |||||
|---|---|---|---|---|---|
| Security Impact | Report Quality | Critical | Important | Moderate | Low |
| Remote Code Execution | High Medium Low | $40,000 $20,000 $10,000 | $30,000 $15,000 $7,500 | $0 | $0 |
| Elevation of Privilege | High Medium Low | $40,000 $20,000 $10,000 | $30,000 $15,000 $7,500 | $0 | $0 |
| Security Feature Bypass | High Medium Low | $30,000 $15,000 $7,500 | $10,000 $5,000 $2,500 | $0 | $0 |
| Remote Denial of Service | High Medium Low | $20,000 $10,000 $5,000 | $10,000 $5,000 $2,500 | $0 | $0 |
| Spoofing or Tampering | High Medium Low | $10,000 $5,000 $2,500 | $5,000 $2,500 $1,250 | $0 | $0 |
| Information Disclosure | High Medium Low | $10,000 $5,000 $2,500 | $5,000 $2,500 $1,250 | $0 | $0 |
| Documentation or samples included in documentation are insecure or encourage insecurity and are not described as samples which do not take security into consideration | High Medium Low | $10,000 $5,000 $2,500 | $5,000 $2,500 $1,250 | $0 | $0 |
OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty award.
If your submission is evaluated as out-of-scope for this individual bounty program, it may still qualify for an award under the Standard Award Policy.
Here are some of the common low-severity or out-of-scope issues that typically do not earn bounty awards:
- Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
- Vulnerabilities in the .NET Framework, or any ASP.NET framework running on .NET Framework (Webforms or MVC)
- Vulnerabilities in out of support versions of .NET or .NET Core
- Vulnerabilities in versions of .NET 5 or later, .NET Core or ASP.NET Core which are daily builds, early beta releases, or are not RTM or RC versions
- Vulnerabilities in user-generated content
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities which disable or do not use any built in mitigation mechanisms
- Low impact CSRF bugs
- Server-side information disclosure
- Vulnerabilities in platform technologies that are not unique to .NET, .NET Core or ASP.NET (for example IIS, OpenSSL etc.)
- Sub-domain takeover
- Vulnerabilities based on third parties that do not demonstrate a qualifying security impact on the specified service
- Training, documentation, samples, and community forum sites related to .NET Bounty Program products and services are out-of-scope for bounty awards
Microsoft reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
ADDITIONAL INFORMATION
For additional information, please see our FAQ.
REVISION HISTORY
- October 20, 2015: Announced the new bounty program for .NET Core CLR and ASP.NET 5 Betas shipping with Visual Studio 2015.
- January 20, 2016: Program concluded
- June 7, 2016: Announced new bounty program covering both Release, and Release Candidate (RC) versions of .NET Core and ASP.NET Core
- October 16, 2018: Updated to include Github links to source
- November 20, 2020: Updated to use new nomenclature for .NET 5 and .NET Core
- November 23, 2021: Added Preview Feature to scope
- July 31, 2025: Updated and expanded the scope, awards table format, and awards amounts.
- December 11, 2025: Updated award amounts, hyperlinks, and standardized language.