1

The Microsoft .NET Bounty Program states that "Vulnerabilities in the .NET Framework, or any ASP.NET framework running on .NET Framework (Webforms or MVC)" is out of scope.

Is .NET Framework covered by another bounty program?

Or is just considered to be "low-severity or out of scope"? If this is true, what does it mean for its security?

TN.
  • 153
  • 5
  • I think part of this is Microsoft's confusing terminology. There is .NET framework, ASP.NET, ASP.NET-Core, and now ASP.NET-Core is just ASP.NET, but it's not the old ASP.NET. So the term ".NET Framework" here I think means the old pre ASP.NET framework... not ASP.Net-Core, which became ASP.NET again. So running ASP.NET on the old .NET Framework is not covered in the bounty program. ASP.Net-Core includes the old .NET stuff along with the new and platform independent stuff... but it's not called "-core" anymore, just ASP.NET again. It's all ridiculously confusing. – pcalkins Nov 16 '21 at 20:25

1 Answers1

1

.NET is comprised of two primary components: the runtime, and the framework. The runtime is the part of .NET that manages runtime execution of .NET processes, and it includes things like the JIT. The framework is the set of class libraries that are utilised in the .NET environment, providing namespaces like System.Text or System.Security.Cryptography.

After .NET Framework 4.x, Microsoft started a new project named .NET Core. This was a breaking change for the ecosystem, removing a lot of legacy APIs and features, so it was forked off as its own thing. Core is cross-platform and largely open source. Three major releases were made (ending in .NET Core 3.x) before Microsoft made the Core project their canonical release as .NET 5. This continues to today, with .NET 6.

".NET Framework" (note the capital F) refers to versions 4.x and prior of the .NET class libraries. These are the old, pre-core frameworks. They run on the old .NET Runtime.

".NET Runtime" (note the capital R) usually refers to the common language runtime (CLR) that runs applications built on the .NET Framework.

The new framework, introduced with Core, is usually referred to as CoreFX or Core Framework. These are the .NET Core equivalent of the .NET Framework standard libraries. The new runtime is called Core CLR.

There is also a standardised subset of APIs that are common to both .NET Framework and .NET Core. This is referred to as .NET Standard.

What Microsoft means by this:

Vulnerabilities in the .NET Framework, or any ASP.NET framework running on .NET Framework (Webforms or MVC).

is that vulnerabilities in the .NET Framework, and their ASP.NET counterparts, i.e. the frameworks prior to Core, are not in scope because they are now either legacy products or "old branch" products that they don't cover in bug bounties. Note that they do not exclude the .NET Runtime, since that remains of high relevance for security even though CoreCLR is their focus for the future.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • There are a few things wrong here. CoreFX and CoreCLR are not frameworks but the standard libraries and the runtime .NET Core is build upon respectively. Also .NET Framework 4.8 is not a legacy product and is still subject to LTS and probably won't stop being so anytime soon as long as Windows OS are around. The .NET Standard states common specifications on the general API which can be used as reference to target .NET Core (supporting .NET Standard 2.1) or later releases of .NET Framework 4.* (supporting .NET Standard 2.0). – Beltway Nov 17 '21 at 07:09
  • @Beltway Yes, CoreCLR is the runtime and CoreFX is the framework (standard libraries), I'm not sure why you thought I said otherwise. Reasonable points on 4.8 not being legacy, and my poor explanation of .NET Standard. I'll clarify that. – Polynomial Nov 17 '21 at 17:29
  • the main point is to not run ASP.NET that uses .NET4.8 or previous dependencies... ASP.Net-Core3.0 and forward would not be using those.... (they skipped version 4 of core to avoid confusion with .NET4.x... version went to .NET5 and dropped the -core to add back in some confusion.) While 4.8 may not be legacy, it should not be used for ASP services... that part of asp.net is legacy. – pcalkins Nov 17 '21 at 18:24
  • @Polynomial It depends on the usage of the word 'framework' which is often applied inflationary upon virtually everything that runs inside the CLR. CoreFX is merely a set of libraries. 'Frameworks runing .NET Core and successors would be ASP.NET Core or MAUI. – Beltway Nov 18 '21 at 07:56