Microsoft To Pay Up To $15K For Bugs In Two Visual Studio Tools

itwbennett writes: Yesterday, Microsoft started a three-month bug bounty program for two open source tools that are part of Visual Studio 2015. The program applies to the beta versions of Core CLR, which is the execution engine for .NET Core, and ASP.NET, Microsoft's framework for building websites and web applications. Bounties range from $500 to $15,000, although Microsoft will reward more 'depending on the entry quality and complexity.' The highest reward will go to researchers who've found a remote code execution bug with a functioning exploit and an accompanying, high-quality white paper. On the low end, cross-site scripting or cross-site request forgery bugs with a low-quality report will get $500.

Re:I've got a deal for someone...

This is about showing goodwill and being more community minded. Under the new CEO, Microsoft is becoming more and more open. Don't, however, ever believe that Microsoft should or would be an open source company. And I don't think they should be. There is room for everyone in this industry. Align yourself with whomever resembles your IT outlook. Look not at the negatives, but rather what are the positives. Majoring in the minor gets none of us anywhere. This bug bounty thing is a good idea. Works for Google and loads of others, and if you are good at spotting bugs and mistakes, you get a little money. Win-win.

A sensible approach to open source security

[chrisfcarroll]

What is interesting however is the thought that developer, documentation and test contributions to open source are unpaid, but security contributions are paid for. Possibly this reflects a lesson of the past 30 years that pretty much nobody in the world is capable of shipping fully secure software for general purpose computers.