Microsoft has started a three-month bug bounty program for two tools that are part of Visual Studio 2015.
The program applies to the beta versions of Core CLR, which is the execution engine for .NET Core, and ASP.NET, Microsoft’s framework for building websites and web applications. Both are open source.
“The more secure we can make our frameworks, the more secure your software can be,” wrote Barry Dorrans, security lead for ASP.NET, in a blog post on Tuesday.
All supported platforms that .NET Core and ASP.NET run on will be eligible for bounties except for beta 8, which will exclude the networking stack for Linux and OS X, Dorrans wrote.
“In later beta and RC releases, once our cross-platform networking stack matches the stability and security it has on Windows, we’ll include it within the program,” he wrote.
Bounties range from $500 to $15,000, although Microsoft will reward more “depending on the entry quality and complexity.” The program started on Oct. 20 and will conclude on Jan. 20, 2016.
The highest reward will go to researchers who’ve found a remote code execution bug with a functioning exploit and an accompanying, high-quality white paper. On the low end, cross-site scripting or cross-site request forgery bugs with a low-quality report will get $500.
Microsoft is one of many major vendors that have embraced rewarding independent researchers for their work. The advantage of such programs is that a wide variety of people can look at the code, increasing the chance that bugs will be discovered.