We’re thrilled to share that this yr, the Microsoft Bounty Program has distributed $17 million to 344 safety researchers from 59 nations, the best complete bounty awarded in this system’s historical past.
In shut collaboration with the Microsoft Safety Response Heart (MSRC), these safety researchers have helped determine and resolve greater than a thousand potential vulnerabilities, strengthening protections for Microsoft clients world wide.
The Microsoft Bounty Program is a key a part of our proactive safety method. By incentivizing unbiased researchers to determine vulnerabilities in high-impact areas, together with the quickly evolving discipline of AI, we’re capable of keep forward of rising threats. By way of Coordinated Vulnerability Disclosure, these researchers play a vital position in reinforcing the belief that hundreds of thousands of customers place in Microsoft applied sciences every single day.
Microsoft’s bounty initiatives span a broad portfolio of Microsoft services, together with Azure, Microsoft 365, Dynamics 365, Energy Platform, Home windows, Edge, Xbox, and extra. Every program is designed with clear scopes, eligibility necessities, award tiers, and submission pointers—making certain that researchers can safely and successfully contribute to our shared mission to guard clients.
For full program particulars, go to the https://aka.ms/bugbounty.
Zero Day Quest
In April the Microsoft Safety Response Heart not too long ago welcomed a few of the world’s most proficient safety researchers at Microsoft’s Zero Day Quest, the most important dwell hacking competitors of its type. The inaugural occasion challenged the safety neighborhood to concentrate on the highest-impact safety situations for Copilot and Cloud.
The occasion acquired greater than 600 vulnerability submissions and awarded greater than $1.6 million throughout the qualifying analysis problem and dwell occasion.
Through the qualifying rounds, researchers submitted their work for an opportunity to attend the occasion in individual and earn further incentives past our common bug bounty awards. A choose group of researchers then dug in even additional in Redmond and on-line for the dwell occasion the place they labored on capture-the-flag challenges in Microsoft merchandise, attended social occasions, and held technical discussions with the Microsoft safety groups.
Practically 100 researchers additionally participated in our coaching classes, which included AI bug looking with our AI Crimson Group, SSRF coaching with our engineering group, and suggestions and recommendation from the bounty group.
Zero Day Quest will return yearly with new analysis challenges, bounty multipliers, and deeper collaboration between Microsoft product engineering groups, Microsoft safety groups, and the safety analysis neighborhood. The 2026 Analysis Problem is now open, with the Reside Hacking Occasion returning in spring, bringing new alternatives for researchers to have interaction, earn rewards, and assist advance safety collectively.
Bounty Packages updates
As Microsoft’s menace panorama and product ecosystem proceed to evolve, so too does the Microsoft Bounty Program. We commonly adapt our packages—increasing protection to incorporate new services, and refining analysis priorities to remain forward of rising threats and assault strategies. This ongoing evolution ensures our bounty initiatives stay aligned with the newest safety challenges and proceed to drive significant impression.
This previous yr, this system publicly launched the next:
Copilot Bounty Program was expanded to combine conventional on-line service vulnerabilities Microsoft Vulnerability Severity Classification for On-line Providers, reasonable severity points, and Copilot for WhatsApp & Telegram. These modifications are designed to reinforce this system’s effectiveness, incentivize broader participation, and make sure that our Copilot client merchandise stay sturdy, secure, and safe.
Id Bounty Program scope growth to incorporate addition APIs and domains that safe Enterprise accounts
Defender Bounty Program scope growth to incorporate Microsoft Defender for Id (MDI), Microsoft Defender for Workplace (MDO), and Microsoft Defender for Cloud Purposes (MDA)
M365 Bounty Program scope growth to incorporate Viva Glint, Studying, Pulse, and Function Entry Management
Dynamics 365 & Energy Platform Bounty Program expanded awards to incorporate AI Bounty Award class
Home windows Bounty Program assault state of affairs awards had been refreshed for distant persistent DoS and native sandbox escape situations.
Bounty awards
Bounty awards are decided by the severity and potential impression of the reported vulnerability, in addition to the readability, accuracy, and completeness of the submission. We prioritize awards in areas that matter most to our clients, encouraging analysis that drives significant safety enhancements the place it counts most.
Wanting forward, we stay dedicated to evolving our packages to higher shield clients and primarily based on your suggestions. We’re deeply grateful to our world neighborhood of safety researchers for his or her continued partnership and experience in serving to shield hundreds of thousands of Microsoft customers.
We’re excited to strengthen present collaborations and welcome new contributors as we proceed constructing a safer digital ecosystem collectively.
Keep safe & blissful looking!
Madeline Eckert, Lynn Miyashita, Nyesha Harden
Microsoft Bounty Group