The Race is On To Find ASP.NET bugs
On October 20th, Microsoft announced that it’s “game on” for its ASP.NET bug bounty program. The program will last for three months, until January 20th. During this time, developers get the chance to win good money for finding bugs (or software flaws) in two platforms that are part of Visual Studio 2015, namely Microsoft ASP.NET and .NET Core beta versions. The minimum bounty paid for a qualified submission is $500 up to a maximum of $15,000!
It’s no surprise that Microsoft decided to launch a bug bounty program and offer such motivational rewards. In 2013, the company partnered with Facebook to sponsor The Internet Bug Bounty. The main focus of that program was to gather reporting hacks and exploits that affected Internet software, operating systems, web browsers, and other Internet-related issues.
Why should more companies organize bug bounty programs?
Facebook, Google, Yahoo! and Reddit are just some of the big companies that have implemented bug bounty programs recently. These programs have been incredibly successful. Therefore it’s a routine that may be adopted by other big software companies that need plenty of testing before the launch.
This is why bug bounty programs work:
• If various developers find bugs when they’re testing the new software or programs, it increases the odds that when the new software launches, users won’t encounter as many errors. It’s every company’s dream to launch a product that is bug-free, one that won’t give its users headaches.
• Companies get to receive feedback from a fresh eye, from someone who doesn’t know the code and won’t miss obvious errors (if they occur) that the people who worked on the software or program may overlook.
• Bug bounty programs represent a great opportunity for developers to stand out and earn good money. If they spot a major issue, they get internationally recognized and that might turbocharge their career.
Microsoft ASP.NET and the details of the program
Many developers use Microsoft ASP.NET for building dynamic websites, web applications, or web services. ASP.NET is an open-source server. For a bug submission to be eligible, it needs to meet strict requirements.
Here’s what developers should include in their submission:
• An newly discovered problem. The vulnerability needs to be original, preferably one that wasn’t reported in the “latest beta or RC version of Microsoft CoreCLR, Microsoft ASP.NET 5 and the default ASP.NET 5 templates provided with the ASP.NET Web Tools Extension for Visual Studio 2015”, according to Microsoft’s Security TechCenter.
• A clear explanation of the problem. Each submission must include reproducibility and the steps should be explained very clearly. This will speed up the process of the submissions’ approval.
Microsoft will evaluate each submission and will keep count of these criteria. The bounties can vary between $500 and $15,000. The company may even reward more than $15,000 if they receive more complex, high quality submissions. Get going, software testers!