Exploring the Visual Studio bounty program

DevToolsGuy / Monday, January 11, 2016

Vulnerability bounty programs are a new trend in the relationship between developers and software companies. Various organizations have begun inviting independent security researchers to test the vulnerability of their systems against the most common attacks from the hacking community. Bounty programs also gives an opportunity for would-be criminals to make a choice between right and wrong-doing. It’s kind of like The Good, The Bad and The Ugly in the Wild Web.

In 2013, independent security researcher Roy Castillo exposed a bug in Facebook where you could view any Facebook user’s real email address. Instead of using this bug for his own benefit, Roy informed Facebook about the bug and was rewarded with a $4,500 bounty reward. Roy wrote an article about the bug and the reward he received after informing the Facebook.

A less happy ending is that of a student in Canada who was expelled for exposing a flaw in his college’s application system which exposed the data of around 250,000 students’ sensitive information like social security numbers, addresses and phone numbers.

There are many such stories where the bounty program offered by various companies have become the source of income for security researchers. Discovering and reporting weaknesses represents a real win-win situation for researchers as well as the company. Companies exposes their prices for discovering weaknesses based on the intensity of the security risk exposed by the bounty hunters in the system. Google offers a bounty reward up to $20,000 for the most critical threats exposed in Google products.

Below are some of the bug bounty programs offered by well-known companies:

  1. Facebook White Hat Program - Reward Range: $500 – sky is the limit
  1. Google Vulnerability Program - Reward Range: $100 - $20,000
  1. Yahoo Bug Bounty Program - Reward Range: $100 - $20,000
  1. GitHub Security Program - Reward Range: $100 - $5,000

Recently, Microsoft has also launched a bounty program for Visual Studio where a researcher, on exposing the bug, could earn up to $15,000 as a reward. Earlier in the year, Microsoft also began a bounty program for Windows 10 with a reward of $50,000 which was doubled in September to $100,000 for researchers who expose authentication vulnerabilities in Windows 10.


Visual Studio Bounty Program

Last month Microsoft announced a bug bounty program lasting three months for the two tools which comprise Visual studio. Core CLR, which is the backbone of the .Net Core, and ASP. Net 5. This announcement came after Microsoft launched the ASP .Net 5 Beta 8 version. Researchers who find vulnerabilities in the .Net core runtime and the ASP .Net 5 will be eligible for this reward. The size of the bounty will be based upon the quality and the complexity of the reported issue.

So what’s classed as a ‘vulnerability’? They include remote code execution, security design flaws, elevation of privilege, Remote DoS, Tampering/Spoofing, Information leaks and template CSRF or XSS. For an eligible submission, a Proof of Concept is required for all the reported issues. Although the reward price is up to $15,000, Microsoft may pay more than that based on the complexity and the quality of reported vulnerability issues.

You can find the terms and conditions for the program over here.

Why is Microsoft doing this now?

As per the post by Barry Dorrans on the official launch of the Visual Studio Bounty Program, Microsoft wants to make the framework “as secure as possible”. As most of the software is built on the Core CLR and ASP .Net 5, it is quite logical that the framework has to be secure in order that the software built on it is secure. Most customers use Visual Studio and its development tools to write software and this bounty program will help Microsoft to make improvements in the security of the framework on all platforms.

Currently, Microsoft has launched the bounty program during the release of the Beta version of ASP .Net 5 which will help the tech giant to identify security issues during the pre-release of the ASP .Net final version.

Duration: 20th October, 2015 to 20th January, 2016 (3 months)

What’s in it for the Developers/Researchers?

The bounty will be applicable on all the supported platforms which are supported by Core CLR and ASP .Net 5 like Windows, Linux and OS X. Individuals across the globe have the opportunity to submit vulnerabilities found in the latest pre-release version of CoreCLR and ASP.NET 5 running on Windows, Linux and MacOS

Reward Range: $500 - $15,000

Who can take part?

According to the Microsoft Core CLR and ASP.Net 5 Bug bounty program terms and conditions the criteria for eligible submissions are:

  • 14+ years old. If you are under 14 years of age and you are considered a minor in your country, then you will require the permission of a legal guardian.
  • You should be individual researcher or if you are employed then your company should explicitly permit you to participate.
  • You should also not fall in the not eligible criteria which are listed under “WHO IS NOT ELIGIBLE TO PARTICIPATE?” over here.

Over the years, Microsoft has improved its bug bounty program for various tools in order to decrease its vulnerability to attacks on its software. More recently Microsoft declared that it would pay up to $30,000 for authentication vulnerabilities in its online services. Wesley Wineber, a security researcher, was awarded $24,000 for discovering a critical authentication flaw affecting the live.com services. So, for a chance to become Clint Eastwood for the day, or Blondie as his character is called, become The Good and get looking for bugs – you could strike lucky!