Microsoft Bug Bounty Program
Microsoft strongly believes close partnerships with the global security researcher community make customers more secure. Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process and sharing them under Coordinated Vulnerability Disclosure (CVD). Each year we partner together to better protect billions of customers worldwide.
If you are a security researcher that has found a vulnerability in a Microsoft product, service, or device we want to hear from you. If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you may receive a bounty award according to the program descriptions. Even if it is not covered under an existing bounty program, we will publicly acknowledge your contributions when we fix the vulnerability. All vulnerability submissions are counted in our Researcher Recognition Program and Researcher Leaderboard, even if they do not qualify for bounty award.
Click here to submit a security vulnerability
The Microsoft Bug Bounty Programs are subject to the legal terms and conditions outlined here, and our bounty Safe Harbor policy.
Let the hunt begin!
Each bug bounty program has its own scope, eligibility criteria, award range, and submission guidelines to help researchers pursue impactful research without causing unintended harm, though they generally share the same high level requirements:
Is this your first time reporting to the MSRC? Want to learn more about our case process? Visit our MSRC Researcher Resource Center to watch the Researcher Onboarding Video to learn about the Rules of Engagement, case process, available rewards through the Bounty Program, recognition points and leaderboards, and our disclosure process.
Zero Day Quest
As announced in the MSRC Blog, Securing AI and cloud with the Microsoft Zero Day Quest, the Microsoft Zero Day Quest invites security researchers to discover and report high-impact vulnerabilities in Microsoft AI and Cloud Bounty Programs: Microsoft Azure, Microsoft Identity, M365, and Microsoft Dynamics 365 and Power Platform. To learn more, visit the Zero Day Quest page!
Cloud Programs
Program Name | Eligible entries | Bounty Range |
---|---|---|
Microsoft Azure |
Vulnerability reports on Microsoft Azure cloud services
|
Up to $80,000 USD
|
Microsoft Identity |
Vulnerability reports on Identity services, including Microsoft Account, Azure Active Directory, or select OpenID standards.
|
Up to $150,000 USD
|
Xbox |
Vulnerability reports on the Xbox Live network and services
|
Up to $20,000 USD
|
M365 |
Vulnerability reports on applicable Microsoft cloud services, including Office 365
|
Up to $27,000 USD
|
Microsoft Azure DevOps Services |
Vulnerability reports on applicable Microsoft Azure DevOps Services
|
Up to $20,000 USD
|
Microsoft Dynamics 365 and Power Platform |
Vulnerability reports on applicable Microsoft Dynamics 365 and Power Platform applications
|
Up to $30,000 USD
|
Microsoft .NET |
Vulnerability reports on .NET Core and ASP.NET Core RTM and future builds (see link for program details)
|
Up to $15,000 USD
|
Microsoft AI |
Vulnerability reports on the Copilot AI experiences
|
Up to $30,000 USD
|
Microsoft Defender |
Vulnerability reports on Microsoft Defender for Endpoint APIs
|
Up to $20,000 USD
|
Platform Programs
Program Name | Eligible Entries | Bounty Range |
---|---|---|
Microsoft Hyper-V |
Critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V
|
Up to $250,000 USD
|
Microsoft Windows Insider Preview |
Critical and important vulnerabilities in Windows Insider Preview
|
Up to $100,000 USD
|
Microsoft Applications and On-Premises Servers |
Critical and important vulnerabilities in Microsoft Applications and On-Premises Servers
|
Up to $30,000 USD
|
Windows Defender Application Guard |
Critical vulnerabilities in Windows Defender Application Guard
|
Up to $30,000 USD
|
Microsoft Edge (Chromium-based) |
Critical, important, and moderate vulnerabilities in Microsoft Edge (Chromium-based) Dev, Beta, and Stable channels
|
Up to $30,000 USD
|
Microsoft 365 Insider |
Vulnerabilities on Microsoft 365 Insider
|
Up to $15,000 USD
|
Defense & Grant Programs & Challenges
Program Name | Eligible Entries | Bounty Range |
---|---|---|
Mitigation Bypass and Bounty for Defense |
Novel exploitation techniques against protections built into the latest version of the Windows operating system. Additionally, defensive ideas that accompany a Mitigation Bypass submission.
|
Up to $100,000 USD (plus up to an additional $100,000)
|
Grant: Microsoft Identity |
This project grant awards up to $75,000 USD for approved research proposals that improve the security of the Microsoft Identity solutions in new ways for both Consumers (Microsoft Account) and Enterprise (Azure Active Directory).
|
Up to $75,000 USD
|
SIKE Cryptographic Challenge |
This challenge awards up to $50,000 USD for solutions that break the SIKE algorithm for two sets of toy parameters.
|
Up to $50,000 USD
|
LLMail-Inject |
This challenge has a $10,000 USD award pool for the top teams participating in the new challenge focused on evaluating state-of-the-art prompt injection defenses in a realistic simulated LLM-integrated email client.
|
Up to $10,000 USD award pool
|
Additional resources for security researchers
We have pulled together additional resources to help you understand our bounty program offerings and even help you get started on the path or to higher payouts. We truly view this as a collaborative partnership with the security community. Your success in this program helps further our customer’s security and the ecosystem.
What to Expect When Reporting Vulnerabilities to Microsoft
Example of High Quality Reports
Researcher Recognition Program
Microsoft Bounty Legal Safe Harbor
Windows Security Servicing Criteria
Microsoft Vulnerability Severity Classification for AI Systems
Microsoft Vulnerability Severity Classification for Online Services
Microsoft Documentation for end users, developers, and IT professionals
Microsoft Security Research & Defense Blog
Out of Bounty Scope
Some submission types are generally not eligible for Microsoft bounty awards. Please refer to our bounty programs for additional information on eligible submission, vulnerability, or attack methods.