The .NET, .NET Core and ASP.NET Core support policy, including supported versions can be found at the .NET and .NET Core Support Policy Page.

Please do not open issues on GitHub for anything you think might have a security implication.

Security issues and bugs should be reported privately to the Microsoft Security Response Center (MSRC), via the MSRC Researcher Portal.

You should receive a response within 24 hours. If for some reason you do not, please follow up via the MSRC Researcher Portal, using the Message functionality found at the bottom of the Activity tab on your vulnerability report.

Further information can be found in the MSRC Report an issue and submission guidelines.

Reports via MSRC may qualify for the Microsoft .NET Bug Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.