Microsoft Copilot Bounty Program

PROGRAM DESCRIPTION

The Microsoft Copilot bounty program invites security researchers from across the globe to discover vulnerabilities in the new, innovative, Microsoft Copilot. Qualified submissions are eligible for bounty rewards from $250 to $30,000 USD.

This bounty program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions and our bounty Safe Harbor policy.

IN-SCOPE SERVICES AND PRODUCTS

Vulnerabilities submitted in the following Product(s) are eligible under this bounty program when tested using a personal account:

Copilot AI experiences hosted on copilot.microsoft.com and copilot.ai in Browser (all major vendors are supported), including Copilot Pro.
Copilot AI experiences integrated in Microsoft Edge (Windows), including Copilot Pro.
Copilot AI experiences in the Microsoft Copilot Application (iOS and Android), including Copilot Pro.
Copilot AI experiences integrated into the Windows OS, via the Microsoft Copilot Application.
Copilot AI experiences on WhatsApp and Telegram.

Related Bounty Programs

All submissions are reviewed for bounty eligibility, so don’t worry if you aren’t sure where your submission fits. We will route your report to the appropriate program.

ELIGIBLE SUBMISSIONS

The goal of the Microsoft Copilot bounty program is to uncover significant vulnerabilities in the new, innovative, Microsoft Copilot that have a direct and demonstrable impact on the security of our customers.

Vulnerability submissions must meet the following criteria to be eligible for bounty awards: 

Identify a vulnerability in Microsoft Copilot that was not previously reported to, or otherwise known by, Microsoft.
Such vulnerability must be Critical, Important or Moderate severity as defined by the Microsoft Vulnerability Severity Classification for AI Systems and the Microsoft Vulnerability Severity Classification for Online Services and reproducible on the latest, fully patched version of the product or service.
Include clear, concise, and reproducible steps, either in writing or in video format.
- Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue.
- Find examples here.

We request researchers include the following information to help us quickly assess their submission:

Submit through the MSRC Researcher Portal.
Select “Copilot, AI+ML, and LLMs” in the “Product” section of the vulnerability submission.
Include the conversation ID in the “Steps to reproduce” section of your vulnerability submission.
- To retrieve the conversation ID, enter “/id” as a chat command.
Describe the attack vector for the vulnerability.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria. 

GETTING STARTED 

Please create a personal test account for security testing and probing. Please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability. If in doubt, please contact bounty@microsoft.com.

Access Microsoft Copilot here and log in or register for a personal account.
Check out sessions from the AI Red Team and Microsoft Security Response Center:

BOUNTY AWARDS   

Bounty awards range from $250 up to $30,000.  Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. Eligible submissions will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix, and points in our Researcher Recognition Program to earn swag and a place on the Microsoft Most Valuable Researcher list.

General Awards

Vulnerability Type	Report Quality	Severity
		Critical	Important	Moderate	Low
Deserialization of Untrusted Data	High Medium Low	$30,000 $20,000 $12,000	$20,000 $10,000 $6,000	$5,000 $3,000 $1,000	$0
Injection (Code Injection)	High Medium Low	$30,000 $20,000 $12,000	$20,000 $10,000 $6,000	$5,000 $3,000 $1,000	$0
Authentication Issues	High Medium Low	$20,000 $10,000 $6,000	$10,000 $4,000 $2,000	$3,000 $1,000 $500	$0
Injection (SQL Injection and Command Injection)	High Medium Low	$20,000 $10,000 $6,000	$10,000 $4,000 $2,000	$3,000 $1,000 $500	$0
Server-Side Request Forgery (SSRF)	High Medium Low	$20,000 $10,000 $6,000	$10,000 $4,000 $2,000	$3,000 $1,000 $500	$0
Improper Access Control	High Medium Low	$20,000 $10,000 $6,000	$10,000 $4,000 $2,000	$3,000 $1,000 $500	$0
Cross Site Scripting (XSS)	High Medium Low	$8,000 $6,000 $4,000	$4,000 $2,000 $1,000	$1,000 $500 $250	$0
Cross-Site Request Forgery (CSRF)	High Medium Low	$8,000 $6,000 $4,000	$4,000 $2,000 $1,000	$1,000 $500 $250	$0
Web Security Misconfiguration	High Medium Low	$8,000 $6,000 $4,000	$4,000 $2,000 $1,000	$1,000 $500 $250	$0
Cross Origin Access Issues	High Medium Low	$8,000 $6,000 $4,000	$4,000 $2,000 $1,000	$1,000 $500 $250	$0
Improper Input Validation	High Medium Low	$8,000 $6,000 $4,000	$4,000 $2,000 $1,000	$1000 $500 $250	$0
Inference Manipulation	High Medium Low	$8,000 $6,000 $4,000	$4,000 $2,000 $1,000	$1,000 $500 $250	$0
Model Manipulation	High Medium Low	$8,000 $6,000 $4,000	$4,000 $2,000 $1,000	$1,000 $500 $250	$0
Inferential Information Disclosure	High Medium Low	$8,000 $6,000 $4,000	$4,000 $2,000 $1,000	$1,000 $500 $250	$0

RESEARCH RULES OF ENGAGEMENT

To maintain the security and integrity of our services, all participants in Microsoft's bounty programs must strictly adhere to the Microsoft Security Testing Rules of Engagement (ROE). These guidelines are crafted to enable security researchers to assess the security of Microsoft Online Assets effectively while ensuring that other customers and infrastructure remain unaffected. For comprehensive details about these rules, please consult the Microsoft ROE website.

If you accidentally access unauthorized data, stop immediately. Notify MSRC with the details, delete the data, and acknowledge this in any bug bounty report. Do not share the accessed information.

Prohibited Activities

Engaging in the disruption, compromise, access, storage, or damage of data or property without explicit written consent from the owner, or adversely affecting Microsoft services for other users, is strictly prohibited. Specific prohibited activities include but are not limited to:

Accessing customer or Microsoft data and testing customer systems without explicit permission: Any interaction with data or systems that you do not own or have explicit permission to access is prohibited. This includes accessing customer data, Microsoft data, or testing systems that belong to customers.
- Example: Extracting training data, model architectures, model weights, training code, customer documents, metadata, names, configuration files, system logs, or any other unauthorized data.
Using credentials or other secrets that are not your own. This includes any credentials or secrets that you do not own, regardless of how they are obtained, including those that were leaked publicly.
Interacting with storage accounts that are not part of your subscription or that you do not own.
Performing denial-of-service testing.
Executing network-intensive fuzzing or automated testing that generates excessive traffic.
Conducting phishing or social engineering attacks targeting Microsoft employees or using Microsoft services to perform phishing or other social engineering attacks against others.

Even with these restrictions in place, Microsoft retains the authority to respond to any actions conducted on its networks that are deemed malicious in nature.

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES

Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards: 

Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community.
Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations.
AI prompt injection attacks that do not have a security impact on users other than the attacker.
Model hallucination where the model pretends to run arbitrary code provided to it.
Attacks that aim to leak (part of) the system/meta prompt.
Chat responses that appear to be inaccurate, factually incorrect, or offensive.
- Chat responses that appear to be offensive can be reported here.
Out of scope vulnerability types, including:
- Vulnerabilities requiring physical access to hardware components
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- Cookie replay vulnerabilities
- Sub-Domain Takeovers
- Denial of Service issues
- Low impact CSRF bugs (such as logoff)
- Server-side information disclosure such as IPs, server names and most stack traces. Debug pages and reverse minified JS are also out of scope
Vulnerabilities that are addressed via product documentation updates, without change to product code or function.
Vulnerabilities based on user configuration or action, for example:
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities in user-created content or applications
Vulnerabilities based on third parties, for example:
- Vulnerabilities in third party software provided by Azure such as gallery images and ISV applications.
- Vulnerabilities in platform technologies that are not unique to the online services in question (for example, Apache or IIS vulnerabilities)
Vulnerabilities in a web application that only affect unsupported browsers and plugins.
Training, documentation, samples, and community forum sites related to Microsoft Copilot products and services are not in scope for bounty awards.

Microsoft reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.

ADDITIONAL INFORMATION

For additional information, please see our FAQ.

If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program.
Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.

REVISION HISTORY

October 12, 2023: Program launched.
April 11, 2024: Updated in scope products to Microsoft Copilot.
October 2, 2024: Updated in scope products to Copilot AI experiences and Bing generative search.
November 19, 2024: Increased the bounty award amounts.
November 26, 2024: Removed “in scope vulnerabilities” section. Please refer to the Microsoft Vulnerability Severity Classification for AI Systems.
January 21, 2025: Added new vulnerability types to the bounty awards section.
February 6, 2025: Added Copilot AI experiences on WhatsApp and Telegram to in scope products. Added moderate severity issues to bounty program scope. Added clarifications for the Out of Scope Submissions and Vulnerabilities. Renamed this program to the Microsoft Copilot Bounty Program.
February 27, 2025: Updated Eligible Submissions section; added clarifications for the Out of Scope Submissions and Vulnerabilities section.
March 11, 2025: Added clarification to the In Scope Services and Products & Getting Started sections to direct researchers to use a personal account for Copilot research. Updated the Research Rules of Engagement section. Removed Bing generative search hosted on bing.com from In Scope Services and Products since that redirects to copilot.microsoft.com.
May 13, 2025: Updated Research Rules of Engagement section.
May 16, 2025: Updated bounty award table.