Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Bug Microsoft Programming Security

Microsoft To Pay Up To $15K For Bugs In Two Visual Studio Tools (microsoft.com) 43

itwbennett writes: Yesterday, Microsoft started a three-month bug bounty program for two open source tools that are part of Visual Studio 2015. The program applies to the beta versions of Core CLR, which is the execution engine for .NET Core, and ASP.NET, Microsoft's framework for building websites and web applications. Bounties range from $500 to $15,000, although Microsoft will reward more 'depending on the entry quality and complexity.' The highest reward will go to researchers who've found a remote code execution bug with a functioning exploit and an accompanying, high-quality white paper. On the low end, cross-site scripting or cross-site request forgery bugs with a low-quality report will get $500.
This discussion has been archived. No new comments can be posted.

Microsoft To Pay Up To $15K For Bugs In Two Visual Studio Tools

Comments Filter:
  • by grimmjeeper ( 2301232 ) on Thursday October 22, 2015 @11:09AM (#50781117) Homepage
    Whoever is working on building this code, we can split any bug bounty money 50/50...
  • by xxxJonBoyxxx ( 565205 ) on Thursday October 22, 2015 @11:36AM (#50781341)

    >> Core CLR...and ASP.NET

    Those are kind of a big deal in corporate America. If you find a good zero-day in either of those, the market might pay more than that just to exploit it at a single company, let alone a universal exploit. I'm thinking Microsoft may need to put some real money into this program to keep researchers on the light side of the force.

    • dotNet Core is still in dev and no version of Windows yet ships with it. So no zero-dayness is possible. .Net Framework versions up to 4.6 are the current live versions
    • by cdrudge ( 68377 )

      So a person would need to choose between making up to $15k in a legal fashion that ultimately makes a product more secure and could benefit many companies...or sell it to nefarious people possibly for more money, but your exploit is used to attack companies and ultimately may trace back to you. Decisions decisions decisions.

      • Apparently these types of exploits can be sold legally for $100k [mitnicksecurity.com].
  • That isn't enough to get me to jack in my job and go bug hunting full time.

    • If I knew for sure that I'd win the bounty, and that they'd pay the full $15k, and that it wouldn't take me too long to get it, I'd happily burn a little vacation time.

      But otherwise, the mathematical expectation is way too low.

    • I don't think the intent is to motivate full time bug hunting but rather allow those who suspect a bug to have the motivation to dig deeper. This is especially true of those in the enterprise level security consulting where they have a responsibility of testing for vulnerabilities or understanding the source of a security failure at their customer's.

      I know people who have monetized exploitation of a bug. The reward is often limited unless you are willing to go the next level of exploitation which has higher

  • Is the reward offered by this bug bounty program higher than what that exploit would fetch if sell them to Bulgarians or Russians? If not why not?
  • by Chris F Carroll ( 2937391 ) on Thursday October 22, 2015 @12:23PM (#50781763)
    What is interesting however is the thought that developer, documentation and test contributions to open source are unpaid, but security contributions are paid for. Possibly this reflects a lesson of the past 30 years that pretty much nobody in the world is capable of shipping fully secure software for general purpose computers.
    • by Anonymous Coward

      Whenever I see the phrase "general purpose computer" it makes me shudder as it implies hardware that can be used for any purpose. The language used in that quote is to imply that this hardware can be used to molest your children and other more specific hardware can't be used for this purpose. lol

      Does it have a processor that can contain run functions for your own use and RAM that isn't constrained by software and firmware that you don't control? Voila - it's a general purpose computer.

      Even freakishly slante

  • I think the most ironic part is that they are willing to pay up to $15K for a bug + a white paper on the bug, but not willing to pay anything more, should you include patches that actually fix the bug.

    You would think that a bug *fix* was the end goal.

    I'm of two minds, as to why this is the case:

    (1) They just don't get this whole "Open Source" thing yet, although they seem to be trying really, really hard

    (2) The intent of the program is actually to get the white papers, rather than the bug fixes. That, in t

    • by bmajik ( 96670 )

      I'm not in any way involved with this specific program, but I do work on VisualStudio.

      It's pretty common for all kinds of software projects to take bug reports - even very detailed and thorough ones - from people who ultimately don't end up fixing the bug.

      The interesting thing about finding a security bug - especially with the constraints described here - a working exploit and a white paper - it's pretty unambiguous that you've found one. You either have or you haven't.

      Now, how to actually fix that bug mig

Unix: Some say the learning curve is steep, but you only have to climb it once. -- Karl Lehenbauer

Working...