Secure research starts with responsible testing.
Bounty Programs
Partner with Microsoft to strengthen our products and services by identifying and reporting security vulnerabilities that could impact our customers.
IMPORTANT: The Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions, Microsoft Bounty Legal Safe Harbor, Rules of Engagement, Coordinated Vulnerability Disclosure (CVD), Bounty Program Guidelines, and the Microsoft Bounty Program page.
CLOUD PROGRAMS
| Program | Description | Award Range |
|---|---|---|
| Microsoft Identity | Vulnerability reports on Identity services, including Microsoft Account, Azure Active Directory, or select OpenID standards. | Up to $100,000 USD |
| Microsoft Azure | Vulnerability reports on Microsoft Azure cloud services | Up to $60,000 USD |
| Microsoft Copilot | Vulnerability reports on the Copilot AI experience | Up to $30,000 USD |
| Xbox | Vulnerability reports on the Xbox Live network and services | Up to $20,000 USD |
| Microsoft Azure DevOps Services | Vulnerability reports on applicable Microsoft Azure DevOps Services | Up to $20,000 USD |
| Microsoft Dynamics 365 and Power Platform | Vulnerability reports on applicable Microsoft Dynamics 365 and Power Platform applications | Up to $20,000 USD |
| Microsoft Defender | Vulnerability reports on Microsoft Defender for Endpoint APIs | Up to $20,000 USD |
| M365 | Vulnerability reports on applicable Microsoft cloud services, including Office 365 | Up to $19,500 USD |
| Microsoft .NET | Vulnerability reports on .NET Core and ASP.NET Core RTM and future builds (see link for program details) | Up to $15,000 USD |
| Open Source | Vulnerability reports in select Microsoft owned open-source repositories | Up to $15,000 USD |
ENDPOINT & ON-PREM PROGRAMS
| Program | Description | Award Range |
|---|---|---|
| Microsoft Hyper-V | Critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V | Up to $250,000 USD |
| Microsoft Windows Insider Preview | Critical and important vulnerabilities in Windows Insider Preview | Up to $100,000 USD |
| Microsoft Applications and On-Premises Servers | Critical and important vulnerabilities in Microsoft Applications and On-Premises Servers | Up to $30,000 USD |
| Microsoft Edge (Chromium-based) | Critical, important, and moderate vulnerabilities in Microsoft Edge (Chromium-based) Dev, Beta, and Stable channels | Up to $30,000 USD |
| Microsoft 365 Insider | Vulnerabilities on Microsoft 365 Insider | Up to $15,000 USD |
ZERO DAY QUEST
OVERVIEW
As announced in the MSRC blog, Microsoft Zero Day Quest invites security researchers to discover and report high-impact vulnerabilities in Microsoft Azure, Microsoft Copilot, Microsoft Dynamics 365 and Power Platform, Microsoft Identity, and M365 Bounty Programs. Zero Day Quest provides new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers to share, learn, and build community as we work to keep everyone safe.
This challenge has two distinct opportunities:
- A Research Challenge (open to everyone)
- A Live Hacking Event (invite only)
Zero Day Quest will be subject to the terms of our bounty program, as outlined in the Microsoft Bounty Terms and Conditions and our bounty Safe Harbor policy, the applicable bounty program, and additional terms and conditions for the Research Challenge and Live Hacking Event.
HOW TO SUBMIT
Visit the MSRC Researcher Portal and follow the instructions to submit your reports.
Microsoft is not responsible for excess, lost, late, or incomplete submissions. If disputed, submissions will be deemed submitted by the “authorized account holder” of the email address used to enter. The “authorized account holder” is the natural person assigned to an email address by an internet or online service provider, or other organization responsible for assigning email addresses.
RESEARCH RULES OF ENGAGEMENT
To maintain the security and integrity of our services, all participants in Microsoft's bounty programs must strictly adhere to the Microsoft Security Testing Rules of Engagement (ROE). These guidelines are crafted to enable security researchers to assess the security of Microsoft Online Assets effectively while ensuring that other customers and infrastructure remain unaffected. For comprehensive details about these rules, please consult the Microsoft ROE website.
If you accidentally access unauthorized data, stop immediately. Notify MSRC with the details, delete the data, and acknowledge this in any bug bounty report. Do not share the accessed information.
RESOURCES FOR PROGRAM PARTICIPANTS
To help you with your Zero Day Quest submissions, check out sessions from the AI Red Team, Microsoft Security Response Center, and Dynamics teams:
- Learn to Red Team AI Systems Using PyRIT
- Microsoft's Bug Bounty Program and AI Research
- Security Research in Copilot Studio
PAST EVENTS
REVISION HISTORY
- March 3, 2025: The Zero Day Quest Live Hacking Event launched.
- March 20, 2025: Added Flash Challenges for SharePoint Online and Exchange Online.
- March 26, 2025: Added Flash Challenge for Copilot.
- August 4, 2025: Published updates to the Zero Day Quest, Research Challenge, and Live Hacking Event pages.