Microsoft strongly believes close partnerships with researchers make customers more secure. Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process. Each year we partner together to better protect billions of customers worldwide.

If you are a security researcher that has found a vulnerability in a Microsoft product, service, or device we want to hear from you. If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you may receive a bounty award according to the program descriptions. Even if it is not covered under an existing bounty program, we will publicly acknowledge your contributions when we fix the vulnerability. All vulnerability submissions are counted in our annual Top 100 Researcher leaderboard, even if they do not qualify for bounty award. 

Click here to submit a security vulnerability 

The Microsoft Bug Bounty Programs are subject to the legal terms and conditions outlined here.

Let the hunt begin!
Our bug bounty programs are divided by technology area though they generally have the same high level requirements:
 
Research

We want to award you

Vulnerabilities

We are looking for new

data, privacy, service availability

Avoid harm to customer data

vul disclosure

Follow co-ord vulnerability disclosure

Program Name
Start date

Last Updated

End date
Eligible entries
Bounty Range
2018-7-17

2018-12-06

Ongoing
Vulnerability reports on Identity services, including Microsoft Account, Azure Active Directory, or select OpenID standards.
Up to $100,000 USD

Microsoft Azure DevOps Services Bounty

2019-01-17

2019-01-17

Ongoing
Vulnerability reports on applicable Microsoft Azure DevOps Services
Up to $20,000 USD

Microsoft Dynamics 365

2019-07-17

2019-07-17

Ongoing

Vulnerablility reports on applicable Microsoft Dynamics 365 applications

Up to $20,000 USD

2016-09-01

2018-10-16

Ongoing
Vulnerability reports on .NET Core and ASP.NET Core RTM and future builds (see link for program details)
Up to $15,000 USD

Microsoft Cloud Bounty

2014-09-23

2019-06-12

Ongoing

Vulnerability reports on applicable Microsoft cloud services

Up to $20,000 USD

Program Name

Start Date

Last Updated

End Date

Eligible Entries

Bounty Range

Microsoft Hyper-V

2017-05 -31

2019-03-15

Ongoing

Critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V

Up to $250,000 USD

Microsoft Windows Insider Preview

2017-07-26

2019-01-17

Ongoing

Critical and important vulnerabilities in Windows Insider Preview

Up to $50,000 USD

Windows Defender Application Guard

2017-07-26

2017-07-26

Ongoing

Critical vulnerabilities in Windows Defender Application Guard

Up to $30,000 USD

Microsoft Edge(EdgeHTML) on Windows Insider Preview

2016-08-04

2019-04-08

Ongoing

Critical remote code execution and design issues in Microsoft Edge (EdgeHTML) in Windows Insider Preview Slow ring

Up to $15,000 USD

Office Insider

2017-03-15

2018-12-07

Ongoing

Vulnerabilities on Office Insider

Up to $15,000 USD

Program Name

Start Date

Last Updated

End Date

Eligible Entries

Bounty Range

Mitigation Bypass and Bounty for Defense

2013-06-26

2018-10-02

Ongoing

Novel exploitation techniques against protections built into the latest version of the Windows operating system. Additionally, defensive ideas that accompany a Mitigation Bypass submission.

Up to $100,000 USD (plus up to an additional $100,000)

We have pulled together additional resources to help you understand our bounty program offerings and even help you get started on the path or to higher payouts. We truly view this as a collaborative partnership with the security community. Your success in this program helps further our customer’s security and the ecosystem.

Frequently Asked Questions

Example of High Quality Reports

Windows Security Servicing Criteria

Directory of Azure Services

Microsoft Documentation for end users, developers, and IT professionals

Microsoft Security Research & Defense Blog

HackerOne’s Hacker101 training

Bugcrowd University

Some submission types are generally not eligible for Microsoft bounty awards. Please refer to our bounty programs for additional information on eligible submission, vulnerability, or attack methods.

 

Tool output

Tool output

Social engineering

Social engineering