Secure research starts with responsible testing.
Microsoft Azure Bounty Program
Partner with Microsoft to strengthen our products and services by identifying and reporting security vulnerabilities that could impact our customers.
IMPORTANT: The Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions, Microsoft Bounty Legal Safe Harbor, Rules of Engagement, Coordinated Vulnerability Disclosure (CVD), Bounty Program Guidelines, and the Microsoft Bounty Program page.
PROGRAM DESCRIPTION
Microsoft Azure is an ever-expanding set of cloud computing services to help organizations build, manage, and deploy applications on a massive, global network using their preferred tools and frameworks. The Microsoft Azure Bounty Program invites researchers to identify vulnerabilities in Azure products and services and share them with our team. Qualified submissions are eligible for bounty awards from $1,250 to $60,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.
ELIGIBLE SUBMISSIONS
The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.
In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Identify a vulnerability in Azure Products that was not previously reported to, or otherwise known by, Microsoft.
- Such vulnerability must be of Critical or Important severity and must be reproducible on the latest, fully patched version of the in-scope products or services.
We request researchers include the following information to help us quickly assess their submission:
- Submit through the MSRC Researcher Portal.
- Indicate in the vulnerability submission which high impact scenario (if any) your report qualifies for.
- Describe the attack vector for the vulnerability.
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.
SCOPE
Vulnerabilities submitted in the following Product(s) are eligible under this bounty program:
GETTING STARTED
Please follow the guidance below to create a test account for security testing and probing. Additionally, please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability. If in doubt, please contact bounty@microsoft.com.
- For Azure services, you can start a free trial to use as your test account here, and learn more about Azure with Getting Started Guide for Developers and the Azure documentation site.
- For Microsoft Account, you can set up your test account here.
- Follow the Azure Blog and Twitter to learn about the latest features and releases.
In all cases, where possible, please include the string “MSOBB” in your account name and/or tenant name to identify it as being used for security research.
BOUNTY AWARDS
Bounty awards range from $1,250 up to $60,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.
Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix; they may also earn points in our Researcher Recognition Program to receive swag and secure a place on the Microsoft Most Valuable Researcher list.
AZURE SECURITY LAB SCENARIO CHALLENGE
In Azure Security Lab scenario challenges, we provide more content and resources to better arm security researchers with the tools needed to research high-impact vulnerabilities in the cloud. Please see ongoing challenges on the Azure Security Lab page.
High Impact Scenarios
| Target | Scenario | Multiplier |
|---|---|---|
| Key Vault | Compromise logging or auditing keys | +50% |
| Leaking keys | +40% | |
| Editing or deleting keys | +30% | |
| Azure Kubernetes Service | All bounty eligible submissions targeting this service | +20% |
*High Impact Scenarios apply a percentage multiplier to the general award amount.For example, if the general award is $10,000 and the multiplier is +50%, the total award becomes $15,000.
General Awards
| Severity (all amounts in USD) | |||||
|---|---|---|---|---|---|
| Security Impact | Report Quality | Critical | Important | Moderate | Low |
| Remote Code Execution | High Medium Low | $40,000 $20,000 $10,000 | $30,000 $20,000 $10,000 | $0 | $0 |
| Elevation of Privilege | High Medium Low | $40,000 $30,000 $20,000 | $10,000 $6,000 $4,000 | $0 | $0 |
| Information Disclosure | High Medium Low | $12,000 $9,000 $7,500 | $7,500 $5,000 $3,000 | $0 | $0 |
| Spoofing | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,250 | $0 | $0 |
| Tampering | High Medium Low | $8,000 $5,000 $2,500 | $4,000 $2,500 $1,200 | $0 | $0 |
| Denial of Service | High/Low | Out of Scope | |||
*Sample high- and low-quality reports are available here.
OUT-OF-SCOPE SUBMISSIONS AND VULNERABILITIES
Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty award.
If your submission is evaluated as out-of-scope for this individual bounty program, it may still qualify for an award under the Standard Award Policy.
Here are some of the common low-severity or out-of-scope issues that typically do not earn bounty awards:
- Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community
- Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations. As of March 2022, for example, these include, without limitation:
- Vulnerabilities that rely on VSCode extensions
- Vulnerabilities that rely on Swagger API
- Dependency Confusion issues
- Vulnerabilities that rely on Akamai ARL misconfiguration
- Vulnerabilities found in Azure Defender for IoT
- Vulnerabilities found in Azure Site Recovery
- Out-of-scope vulnerability types, including:
- Vulnerabilities requiring physical access to hardware components
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- Cookie replay vulnerabilities
- Sub-Domain Takeovers
- Denial-of-service (DoS) attacks of any kind, including but not limited to volumetric, protocol, and application-layer attacks
- Low impact CSRF bugs (such as logoff)
- Server-side information disclosure such as IPs, server names, and most stack traces
- Vulnerabilities that are addressed via product documentation updates, without change to product code or function
- Training, documentation, samples, and community forum sites related to Azure Bounty Program products and services are out-of-scope for bounty awards
- Vulnerabilities requiring preconditions such as running malware, access to local network or devices, or man-in-the-middle attacks
- Vulnerabilities based on user configuration or action, for example:
- Vulnerabilities requiring extensive or unlikely user actions
- Vulnerabilities in user-created content or applications
- Security misconfiguration of a service by a user, such as the enabling of HTTP access on a storage account to allow for man-in-the-middle (MiTM) attacks
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Vulnerabilities based on third parties that do not demonstrate a qualifying security impact on the specified service, including:
- Vulnerabilities in third-party software provided by Azure, such as gallery images and ISV applications
- Vulnerabilities in platform technologies that are not unique to the online services in question (for example, Apache or IIS vulnerabilities)
- Vulnerabilities in a web application that only affect unsupported browsers and plugins
- Vulnerabilities found in Microsoft Partner portals, including partner.microsoft.com or aipartner.microsoft.com
- Vulnerabilities found in Azure RTOS
- Vulnerabilities found in Azure App Center
- Vulnerabilities in OMI
- Vulnerabilities in open-source components, libraries, or repositories
- Vulnerabilities in SDKs
- Vulnerabilities in Microsoft employee-owned personal GitHub repositories
- Vulnerabilities in Azure agents, monitors, or any products that run on the local machine
- Vulnerabilities on Windows client components hosted in Azure Virtual Machine are not eligible for Azure bounty.
- Vulnerabilities in Playfab
Microsoft reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.
ADDITIONAL INFORMATION
For additional information, please see our FAQ.
REVISION HISTORY
- September 2014: Program launched.
- August 2015: Program scope updated and bounty program name changed from Online Services to Cloud bounty program.
- July 17, 2018: Identity related vulnerabilities moved into the Microsoft Identity Bounty Program.
- January 17, 2019: Updated award ranges based on impact, severity, and report quality. Added in-scope summary.
- June 17, 2019: Azure bounty program separated from the Online Services Bounty Program Training, documentation, sample, and community sites moved out of scope. Updated pentesting guidance.
- January 21, 2020: Removed all listed endpoints. Services listed under https://azure.microsoft.com/en-us/services are in scope for bounty rewards under this program or related Microsoft Bounty programs.
- May 5, 2020: Moved Azure Security Lab content to a stand-alone program page. Standardized bounty program language.
- August 24, 2020: Added to out of scope – vulnerabilities that rely on VSCode extensions.
- August 27, 2020: Added guidance to Additional Information section.
- January 28, 2021: Added to out of scope – vulnerabilities that rely on Swagger API.
- April 20, 2021: Added to out of scope – confusion dependency issues.
- August 26, 2021: Added to out of scope – vulnerabilities that rely on Akamai ARL misconfiguration.
- September 14, 2021: Added to out of scope – vulnerabilities in Microsoft Partner portals, including partner.microsoft.com or aipartner.microsoft.com.
- October 6, 2021: Added to out of scope – vulnerabilities found in Azure Defender for IoT.
- October 18, 2021: Added High Impact Scenarios Awards.
- December 20, 2021: Added dependency confusion clarification to both In Scope and Out of Scope sections.
- February 24, 2022: Added clarification that vulnerabilities addressed via product documentation updates are out of scope.
- March 14, 2022: Added to out of scope - dependency confusion issues.
- April 28, 2022: Added to out of scope - vulnerabilities found in Azure Site Recovery.
- August 22, 2022: Added to out of scope – vulnerabilities found in Azure RTOS GUIX Studio.
- November 18, 2022: Added clarification that vulnerabilities found in Azure RTOS GUIX Studio and Library are out of scope.
- April 5, 2023: Removed Azure Synapse from High Impact Scenarios.
- August 16, 2023: Added to out of scope – vulnerabilities found in Azure RTOS.
- August 25, 2023: Added to out of scope – vulnerabilities found in Azure App Center.
- December 19, 2023: Added to out of scope – vulnerabilities found in SQL.
- December 20, 2023: Confirmed out of scope - vulnerabilities in OMI or open-source components.
- August 5, 2024: Clarified open-source out of scope exclusion.
- August 29, 2024: Clarified out of scope for vulnerabilities requiring preconditions such as running malware, access to local network or devices, or man-in-the-middle attacks.
- October 1, 2024: Added out of scope for vulnerabilities in Azure products that only impact the Windows local machine and vulnerabilities in Windows client components hosted in Azure Virtual Machine.
- November 19, 2024: Added temporary Zero Day Quest Award Multipliers for eligible security impacts and high impact scenarios.
- February 12, 2025: Clarified out-of-scope for open source, locally installed products.
- March 3, 2025: Removed reference to Zero Day Quest and bonus multipliers as the research challenge ended.
- May 13, 2025: Updated Research Rules of Engagement section.
- May 14, 2025: Confirmed out of scope - vulnerabilities found in Azure Playfab.
- June17, 2025: Updated out of scope – vulnerabilities found in SQL drivers and engines.
- December 11, 2025: Increased awards, updated hyperlinks, and standardized language