We’re thrilled to share that this 12 months, the Microsoft Bounty Program has distributed $17 million to 344 safety researchers from 59 nations, the best whole bounty awarded in this system’s historical past.
In shut collaboration with the Microsoft Safety Response Heart (MSRC), these safety researchers have helped establish and resolve greater than a thousand potential vulnerabilities, strengthening protections for Microsoft clients world wide.
The Microsoft Bounty Program is a key a part of our proactive safety method. By incentivizing impartial researchers to establish vulnerabilities in high-impact areas, together with the quickly evolving area of AI, we’re capable of keep forward of rising threats. By means of Coordinated Vulnerability Disclosurethese researchers play a important position in reinforcing the belief that tens of millions of customers place in Microsoft applied sciences day-after-day.
Microsoft’s bounty initiatives span a broad portfolio of Microsoft services and products, together with Azure, Microsoft 365, Dynamics 365, Energy Platform, Home windows, Edge, Xbox, and extra. Every program is designed with clear scopes, eligibility necessities, award tiers, and submission tips—guaranteeing that researchers can safely and successfully contribute to our shared mission to guard clients.
For full program particulars, go to the https://aka.ms/bugbounty.
Zero Day Quest
In April the Microsoft Safety Response Heart just lately welcomed among the world’s most gifted safety researchers at Microsoft’s Zero Day Quest, the most important dwell hacking competitors of its variety. The inaugural occasion challenged the safety group to concentrate on the highest-impact safety eventualities for Copilot and Cloud.
The occasion acquired greater than 600 vulnerability submissions and awarded greater than $1.6 million in the course of the qualifying analysis problem and dwell occasion.
Throughout the qualifying rounds, researchers submitted their work for an opportunity to attend the occasion in individual and earn extra incentives past our common bug bounty awards. A choose group of researchers then dug in even additional in Redmond and on-line for the dwell occasion the place they labored on capture-the-flag challenges in Microsoft merchandise, attended social occasions, and held technical discussions with the Microsoft safety groups.
Almost 100 researchers additionally participated in our coaching classes, which included AI bug looking with our AI Crimson Staff, SSRF coaching with our engineering group, and ideas and recommendation from the bounty group.
Zero Day Quest will return yearly with new analysis challenges, bounty multipliers, and deeper collaboration between Microsoft product engineering groups, Microsoft safety groups, and the safety analysis group. The 2026 Analysis Problem is now open, with the Dwell Hacking Occasion returning in spring, bringing new alternatives for researchers to have interaction, earn rewards, and assist advance safety collectively.
As Microsoft’s menace panorama and product ecosystem proceed to evolve, so too does the Microsoft Bounty Program. We usually adapt our packages—increasing protection to incorporate new services and products, and refining analysis priorities to remain forward of rising threats and assault methods. This ongoing evolution ensures our bounty initiatives stay aligned with the newest safety challenges and proceed to drive significant affect.
This previous 12 months, this system publicly launched the next:
Copilot Bounty Program was expanded to combine conventional on-line service vulnerabilities Microsoft Vulnerability Severity Classification for On-line Companies, average severity points, and Copilot for WhatsApp & Telegram. These adjustments are designed to boost this system’s effectiveness, incentivize broader participation, and be sure that our Copilot shopper merchandise stay sturdy, secure, and safe.
Identification Bounty Program scope growth to incorporate addition APIs and domains that safe Enterprise accounts
Defender Bounty Program scope growth to incorporate Microsoft Defender for Identification (MDI), Microsoft Defender for Workplace (MDO), and Microsoft Defender for Cloud Purposes (MDA)
M365 Bounty Program scope growth to incorporate Viva Glint, Studying, Pulse, and Characteristic Entry Management
Dynamics 365 & Energy Platform Bounty Program expanded awards to incorporate AI Bounty Award class
Home windows Bounty Program assault state of affairs awards had been refreshed for distant persistent DoS and native sandbox escape eventualities.
Bounty awards are decided by the severity and potential affect of the reported vulnerability, in addition to the readability, accuracy, and completeness of the submission. We prioritize awards in areas that matter most to our clients, encouraging analysis that drives significant safety enhancements the place it counts most.
Wanting forward, we stay dedicated to evolving our packages to higher defend clients and primarily based on your suggestions. We’re deeply grateful to our world group of safety researchers for his or her continued partnership and experience in serving to defend tens of millions of Microsoft customers.
We’re excited to strengthen present collaborations and welcome new contributors as we proceed constructing a safer digital ecosystem collectively.
Keep safe & pleased looking!
Madeline Eckert, Lynn Miyashita, Nyesha Harden
Microsoft Bounty Staff
