Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process. Microsoft strongly believes close partnerships with researchers make customers more secure. Coordinated Vulnerability Disclosure is the foundation to how we act and ask researchers to interact with us. Each year we partner together to better protect billions of customers worldwide.

The Microsoft Bug Bounty Program is designed to further those goals that better protect our customers and the broader ecosystem. Through targeted and ongoing bounty programs, we acknowledge researchers by rewarding them with cash for submitting their findings to one of our eligible bounty programs. These programs aim to supplement or encourage research in certain categories or technologies. If you are a security researcher that has found a vulnerability in a Microsoft product, service, or device we want to hear from you. If it is within scope of a bounty program you can receive bounty payments according to the program descriptions. If it is not covered under an existing bounty program, we will publicly acknowledge your contributions toward better protections when we fix the vulnerability. Both categories of submission are eligible to be counted in our annual Top 100 Researcher score board. Submissions can be made through our triage process at secure@microsoft.com.

The Microsoft Bug Bounty Programs are subject to the legal terms outlined here.

Let the hunt begin!
Our bug bounty programs are divided be technology area though they generally have the same high level requirements:
  • We want to pay you for your research. Submissions that contain well written descriptions, impacts, and come with steps to reproduce your proof of concept code will be eligible for higher payouts rather than stack dumps or submissions without clear impact.
  • We are looking for new and novel vulnerabilities. Your contributions help us address vulnerabilities we may have missed in the development process. Like you, we will continue investigation and reviewing our code. If you are the first external researcher to identify a vulnerability we already know about and are working to fix you will still be eligible for a percentage of the bounty award.
  • Microsoft takes the privacy of our customer’s data seriously. Some security research may occur on production services that our customers are using as well. We expect researchers to take care and avoid privacy violations, destruction of data, and interruption or degradation of our service during your research. If you discover customer data while researching stop immediately and contact us.
  • Be conscientious of service availability while doing research. The services in our cloud and datacenter are operating in a production environment where customers are actively using and depending on them. Research that impedes availability, including but not limited to denial of service or heavy resource utilization, is prohibited. We ask you respect the production nature of the environment and do your best to avoid those impacts.
  • If it can be found by a tool, it probably should be. Scanners and automation tools are common trade practice in the security community. They often produce many results for further investigation and can yield numerous false positives. As such our bounty programs generally place out of scope reports from automated tools or scans.
  • Social engineering and physical security attacks are off limits. Submissions that require manipulation of data, network access, or physical attack against Microsoft offices or data centers and/or social engineering of our customer support service desk, employees, or contractors will not be accepted.
  • Follow coordinated vulnerability disclosure. Our customer’s security is important to us. We ask that if you find a vulnerability in our products, services, or devices that you report it to us privately and work with us through availability of the solution for that vulnerability. We will endeavor to work on each report diligently and to address it in a reasonable time period. In recognition of this partnership we award bounty payments and will acknowledge your contributions to customer security when the fix is available.
2018-7-17
Ongoing
Vulnerability reports on Identity services, including Microsoft Account, Azure Active Directory, or select OpenID standards.
Up to $100,000 USD
2018-03-14
2018-12-31
A novel category or exploit method for a Speculative Execution Side Channel vulnerability
Up to $250,000 USD
2017-07-26
Ongoing
Critical and important vulnerabilities in Windows Insider Preview
Up to $15,000 USD
2017-07-26
Ongoing
Critical vulnerabilities in Windows Defender Application Guard
Up to $30,000 USD
2017-05 -31
Ongoing
Critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V
Up to $250,000 USD
2016-08-04
Ongoing
Critical remote code execution and design issues in Microsoft Edge in Windows Insider Preview fast
Up to $15,000 USD
2013-06-26
Ongoing
Novel exploitation techniques against protections built into the latest version of the Windows operating system. Additionally, defensive ideas that accompany a Mitigation Bypass submission.
Up to $100,000 USD (plus up to an additional $100,000)
2017-03-15
Ongoing
Vulnerabilities on Office Insider
Up to $15,000 USD
2016-09-01
Ongoing
Vulnerability reports on .NET Core and ASP.NET Core RTM and future builds (see link for program details)
Up to $15,000 USD
2014-09-23
Ongoing
Vulnerability reports on applicable Microsoft cloud services
Up to $15,000 USD
Additional resources for security researchers
We have pulled together additional resources to help you understand our bounty program offerings and even help you get started on the path or to higher payouts. We truly view this as a collaborative partnership with the security community. Your success in this program helps further our customer’s security and the ecosystem.