Table of Contents
We’re thrilled to share that this year, the Microsoft Bounty Program has distributed $17 million to 344 security researchers from 59 countries, the highest total bounty awarded in the program’s history.
In close collaboration with the Microsoft Security Response Center (MSRC), these security researchers have helped identify and resolve more than a thousand potential vulnerabilities, strengthening protections for Microsoft customers around the world.
The Microsoft Bounty Program is a key part of our proactive security approach. By incentivizing independent researchers to identify vulnerabilities in high-impact areas, including the rapidly evolving field of AI, we’re able to stay ahead of emerging threats. Through Coordinated Vulnerability Disclosure, these researchers play a critical role in reinforcing the trust that millions of users place in Microsoft technologies every day.
Microsoft’s bounty initiatives span a broad portfolio of Microsoft products and services, including Azure, Microsoft 365, Dynamics 365, Power Platform, Windows, Edge, Xbox, and more. Each program is designed with clear scopes, eligibility requirements, award tiers, and submission guidelines—ensuring that researchers can safely and effectively contribute to our shared mission to protect customers.
For full program details, visit the https://aka.ms/bugbounty.
Zero Day Quest
In April the Microsoft Security Response Center recently welcomed some of the world’s most talented security researchers at Microsoft’s Zero Day Quest, the largest live hacking competition of its kind. The inaugural event challenged the security community to focus on the highest-impact security scenarios for Copilot and Cloud.
The event received more than 600 vulnerability submissions and awarded more than $1.6 million during the qualifying research challenge and live event.
During the qualifying rounds, researchers submitted their work for a chance to attend the event in person and earn additional incentives beyond our regular bug bounty awards. A select group of researchers then dug in even further in Redmond and online for the live event where they worked on capture-the-flag challenges in Microsoft products, attended social events, and held technical discussions with the Microsoft security teams.
Nearly 100 researchers also participated in our training sessions, which included AI bug hunting with our AI Red Team, SSRF training with our engineering team, and tips and advice from the bounty team.
Zero Day Quest will return annually with new research challenges, bounty multipliers, and deeper collaboration between Microsoft product engineering teams, Microsoft security teams, and the security research community. The 2026 Research Challenge is now open, with the Live Hacking Event returning in spring, bringing new opportunities for researchers to engage, earn rewards, and help advance security together.
Bounty Programs updates
As Microsoft’s threat landscape and product ecosystem continue to evolve, so too does the Microsoft Bounty Program. We regularly adapt our programs—expanding coverage to include new products and services, and refining research priorities to stay ahead of emerging threats and attack techniques. This ongoing evolution ensures our bounty initiatives remain aligned with the latest security challenges and continue to drive meaningful impact.
This past year, the program publicly introduced the following:
-
Copilot Bounty Program was expanded to integrate traditional online service vulnerabilities Microsoft Vulnerability Severity Classification for Online Services, moderate severity issues, and Copilot for WhatsApp & Telegram. These changes are designed to enhance the program’s effectiveness, incentivize broader participation, and ensure that our Copilot consumer products remain robust, safe, and secure.
-
Identity Bounty Program scope expansion to include addition APIs and domains that secure Enterprise accounts
-
Defender Bounty Program scope expansion to include Microsoft Defender for Identity (MDI), Microsoft Defender for Office (MDO), and Microsoft Defender for Cloud Applications (MDA)
-
M365 Bounty Program scope expansion to include Viva Glint, Learning, Pulse, and Feature Access Control
-
Dynamics 365 & Power Platform Bounty Program expanded awards to include AI Bounty Award category
-
Windows Bounty Program attack scenario awards were refreshed for remote persistent DoS and local sandbox escape scenarios.
Bounty awards
Bounty awards are determined by the severity and potential impact of the reported vulnerability, as well as the clarity, accuracy, and completeness of the submission. We prioritize awards in areas that matter most to our customers, encouraging research that drives meaningful security improvements where it counts most.
Looking ahead, we remain committed to evolving our programs to better protect customers and based on your feedback. We’re deeply grateful to our global community of security researchers for their continued partnership and expertise in helping protect millions of Microsoft users.
We’re excited to strengthen existing collaborations and welcome new contributors as we continue building a safer digital ecosystem together.
Stay secure & happy hunting!
Madeline Eckert, Lynn Miyashita, Nyesha Harden
Microsoft Bounty Team
