We’re thrilled to share that this 12 months, the Microsoft Bounty Program has distributed $17 million to 344 safety researchers from 59 nations, the best complete bounty awarded in this system’s historical past.
In shut collaboration with the Microsoft Safety Response Heart (MSRC), these safety researchers have helped establish and resolve greater than a thousand potential vulnerabilities, strengthening protections for Microsoft clients all over the world.
The Microsoft Bounty Program is a key a part of our proactive safety strategy. By incentivizing impartial researchers to establish vulnerabilities in high-impact areas, together with the quickly evolving subject of AI, we’re in a position to keep forward of rising threats. By Coordinated Vulnerability Disclosure, these researchers play a important function in reinforcing the belief that thousands and thousands of customers place in Microsoft applied sciences day by day.
Microsoft’s bounty initiatives span a broad portfolio of Microsoft services and products, together with Azure, Microsoft 365, Dynamics 365, Energy Platform, Home windows, Edge, Xbox, and extra. Every program is designed with clear scopes, eligibility necessities, award tiers, and submission pointers—guaranteeing that researchers can safely and successfully contribute to our shared mission to guard clients.
For full program particulars, go to the https://aka.ms/bugbounty.
Zero Day Quest
In April the Microsoft Safety Response Heart just lately welcomed among the world’s most gifted safety researchers at Microsoft’s Zero Day Quest, the biggest reside hacking competitors of its sort. The inaugural occasion challenged the safety neighborhood to give attention to the highest-impact safety situations for Copilot and Cloud.
The occasion obtained greater than 600 vulnerability submissions and awarded greater than $1.6 million in the course of the qualifying analysis problem and reside occasion.
Throughout the qualifying rounds, researchers submitted their work for an opportunity to attend the occasion in individual and earn extra incentives past our common bug bounty awards. A choose group of researchers then dug in even additional in Redmond and on-line for the reside occasion the place they labored on capture-the-flag challenges in Microsoft merchandise, attended social occasions, and held technical discussions with the Microsoft safety groups.
Practically 100 researchers additionally participated in our coaching classes, which included AI bug looking with our AI Pink Staff, SSRF coaching with our engineering staff, and suggestions and recommendation from the bounty staff.
Zero Day Quest will return yearly with new analysis challenges, bounty multipliers, and deeper collaboration between Microsoft product engineering groups, Microsoft safety groups, and the safety analysis neighborhood. The 2026 Analysis Problem is now open, with the Reside Hacking Occasion returning in spring, bringing new alternatives for researchers to have interaction, earn rewards, and assist advance safety collectively.
Bounty Applications updates
As Microsoft’s menace panorama and product ecosystem proceed to evolve, so too does the Microsoft Bounty Program. We recurrently adapt our applications—increasing protection to incorporate new services and products, and refining analysis priorities to remain forward of rising threats and assault methods. This ongoing evolution ensures our bounty initiatives stay aligned with the newest safety challenges and proceed to drive significant impression.
This previous 12 months, this system publicly launched the next:
-
Copilot Bounty Program was expanded to combine conventional on-line service vulnerabilities Microsoft Vulnerability Severity Classification for On-line Providers, reasonable severity points, and Copilot for WhatsApp & Telegram. These adjustments are designed to reinforce this system’s effectiveness, incentivize broader participation, and be sure that our Copilot shopper merchandise stay strong, protected, and safe.
-
Identification Bounty Program scope growth to incorporate addition APIs and domains that safe Enterprise accounts
-
Defender Bounty Program scope growth to incorporate Microsoft Defender for Identification (MDI), Microsoft Defender for Workplace (MDO), and Microsoft Defender for Cloud Purposes (MDA)
-
M365 Bounty Program scope growth to incorporate Viva Glint, Studying, Pulse, and Function Entry Management
-
Dynamics 365 & Energy Platform Bounty Program expanded awards to incorporate AI Bounty Award class
-
Home windows Bounty Program assault state of affairs awards have been refreshed for distant persistent DoS and native sandbox escape situations.
Bounty awards
Bounty awards are decided by the severity and potential impression of the reported vulnerability, in addition to the readability, accuracy, and completeness of the submission. We prioritize awards in areas that matter most to our clients, encouraging analysis that drives significant safety enhancements the place it counts most.
Wanting forward, we stay dedicated to evolving our applications to raised shield clients and primarily based on your suggestions. We’re deeply grateful to our international neighborhood of safety researchers for his or her continued partnership and experience in serving to shield thousands and thousands of Microsoft customers.
We’re excited to strengthen current collaborations and welcome new contributors as we proceed constructing a safer digital ecosystem collectively.
Keep safe & blissful looking!
Madeline Eckert, Lynn Miyashita, Nyesha Harden
Microsoft Bounty Staff
