Microsoft To Pay Up To $15K For Bugs In Two Visual Studio Tools

itwbennett writes: Yesterday, Microsoft started a three-month bug bounty program for two open source tools that are part of Visual Studio 2015. The program applies to the beta versions of Core CLR, which is the execution engine for .NET Core, and ASP.NET, Microsoft's framework for building websites and web applications. Bounties range from $500 to $15,000, although Microsoft will reward more 'depending on the entry quality and complexity.' The highest reward will go to researchers who've found a remote code execution bug with a functioning exploit and an accompanying, high-quality white paper. On the low end, cross-site scripting or cross-site request forgery bugs with a low-quality report will get $500.

A sensible approach to open source security

[chrisfcarroll]

What is interesting however is the thought that developer, documentation and test contributions to open source are unpaid, but security contributions are paid for. Possibly this reflects a lesson of the past 30 years that pretty much nobody in the world is capable of shipping fully secure software for general purpose computers.