The bounty program of Microsoft implies lucrative rewards for individuals who can scour notable threats and flaws in any new software or application developed by the company. The bug bounty program is constituted to obtain coherent data on the feasibility of programs and software as well as reward individuals with technical acumen.
Microsoft varies its monetary rewards in the bug bounty scheme from $500 to $100,000 depending on the magnitude of the risk spotted. Microsoft is planning to impart bounties amounting up to $15,000 for finding out the most detrimental facets in the unreleased beta versions of its latest CoreCLR and ASP.NET 5 application software.
The provision of varying scale of rewards in the bounty program envisions proficient research and tactful apprehension of flaws. Through such a program, Microsoft can get a pragmatic evaluation of the beta versions of CoreCLR and ASP.NET 5. Furthermore, researchers and persons adept at evaluating ASP.NET Methodologies can make the most out of this opportunity. Prior to assuming prerogatives, participants of this program have to estimate a lucid impression of the guidelines prescribed by Microsoft for the bug bounty program.
In order to consider participation in the Microsoft bug bounty scheme, individuals must assess their eligibility with respect to the criteria set by the company.
Some of the crucial elements in the criteria set by Microsoft are:
- The risk which is reported must be new and there should be no instances of recurring setbacks. There should be no references to the findings of other researchers. Some of the examples include data protection discrepancies, encoding drawbacks etc.
- The bounty encompasses the networking stack of beta version or RC1 version of CoreCLR. Networking bugs are excluded from the premises of the bug bounty program.
- Reports concerning vulnerability must be affable and ready for processing. This enables a faster evaluation of the reports and quicker remunerations as per the degree of anomaly reported.
The bug bounty program commenced on October 15, 2015 and shall conclude on the 20th of January, 2016. Credible assessment of vulnerabilities and subsequent suggestions for improvement can amount to monetary rewards depending on the nature and complexity of the threat.
Microsoft enjoys sole discretion in case of rewards. The final reports are scrutinized meticulously and eligible submissions are felicitated with proper distinction. Microsoft determines rewards based on the vulnerability type and proofs submitted for validating the claim.
Some of the most common threats reported are concerned with the following aspects:
- Privilege elevations
- Tampering or imitations
- Execution of remote data code
- Template CSRF or XSS
- Information misappropriation
- Shortcomings in security framework
- Remote DoS
Payments from Microsoft are done in a comprehensive manner after precise evaluation of the submitted reports by proficient engineers at Microsoft. Proper documentation and paperwork are the stand out points in the bug bounty program.
Other crucial entities to be followed in this program include complete confidentiality of the proceedings of your research. Microsoft asks for maintaining secrecy on the exploit codes discovered during evaluation of the beta versions of CoreCLR and ASP.NET 5.
Source: http://www.cso.com.au
