Many companies offer bug bounty programs that encourage people to search for and discover security vulnerabilities in software and report them privately to the vendor so that fixes can be implemented and applied before malicious attackers exploit them. Security researchers and other members of the public receive financial incentives through monetary rewards. Now,microsofthas announced a major update to its .NET Bounty program.

Award amounts now start at $7,000 and go up to the coveted $40,000. Note that the maximum reward only applies to private disclosure of a Remote Code Execution (RCE) or Elevation of Privilege (EoP) vulnerability with complete documentation and severe impact.

The breakdown of each reward tier is as follows:

security impactReport qualitycriticalimportant
remote code execution

complete

$40,000$30,000
Not completed$20,000$20,000
Privilege escalationcomplete$40,000$10,000
Not completed$20,000$4,000
Security feature bypasscomplete$30,000$10,000
Not completed$20,000$4,000
remote denial of servicecomplete$20,000$10,000
Not completed$15,000$4,000
deceive or tamper withcomplete$10,000$5,000
Not completed$7,000$3,000
Information disclosurecomplete$10,000$5,000
Not completed$7,000$3,000
Documentation or samples contained in the documentation are unsafe or encourage unsafety and are not described as samples without regard to safetycomplete$10,000$5,000
Not completed$7,000$3,000

It is worth noting that the .NET bounty program mainly revolves around .NET and ASP.NET Core, including Blazor and Aspire. But the new product category now covers all supported .NET and ASP.NET versions, ASP.NET Core for the .NET Framework, the templates provided by the above, GitHub Actions in its repository, and related technologies such as F#.

The updated reward structure ensures clear definition of severity levels so that high-impact issues receive higher rewards, while also providing guidance on how reports are considered "complete." You can find more information in Microsoft's dedicated blog post.