The .NET bug bounty covers current released versions of .NET Core, ASP.NET Core and .NET, as well as the latest beta or release candidate of the upcoming version.
.NET has the concept of preview features which ship in the current version, or in nightly builds of the upcoming version. Preview features are not enabled by default, but their goal is to be enabled in the next major release. Preview features are now considered in scope for the bug bounty if they are listed in the table below.
Bugs against preview features in the current release must be demonstrated against the latest current release.
Bugs against preview features in nightly builds of the next version must be demonstrated against the build number listed in the table below, or subsequent builds. Preview features in nightly builds may fall out of scope while bugs are addressed or the removal of the feature from the upcoming version.
Any inclusion of a feature in the table below should not be taken as an indication that the feature will ship in any upcoming version.
Documentation of security bugs for preview features are only in scope for the current released version of .NET
Read the .NET bug bounty terms and conditions before submitting your bug report. To be eligible for a bounty, you must submit your bug report through the Microsoft Security Response Center (MSRC).
| Feature | Description | Documentation |
|---|---|---|
| HTTP/3 | HTTP/3 support in the Kestrel Web Server | Enabling HTTP/3 |
| Feature | Description | Minimum Build Number | Documentation |
|---|---|---|---|
| None |
Last Updated: 2021-11-15 - Initial listing