Microsoft Zero Day Quest Research Challenge
OVERVIEW
As announced in the MSRC blog, Microsoft Zero Day Quest invites security researchers to discover and report high-impact vulnerabilities in Microsoft Azure, Microsoft Copilot, Microsoft Dynamics 365 and Power Platform, Microsoft Identity, and M365 Bounty Programs. Zero Day Quest provides new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers to share, learn, and build community as we work to keep everyone safe.
This challenge has two distinct opportunities:
- A Research Challenge (open to everyone)
- A Live Hacking Event (invite only)
Full details about the Zero Day Quest Live Hacking Event can be found here.
RESEARCH CHALLENGE DESCRIPTION
The Research Challenge is open to everyone and runs from 12:00 AM Pacific Time, August 4, 2025, through 11:59 PM Pacific Time, October 4, 2025.
The Research Challenge will be subject to the terms of our bounty program, as outlined in the Microsoft Bounty Terms and Conditions and our bounty Safe Harbor policy, the applicable bounty program, and additional terms and conditions for the Research Challenge outlined below.
Bounty programs in scope:
First-time researchers are encouraged to review the MSRC Researcher Resource Center, as well as the definitions below surrounding eligible submissions, in-scope, and out-of-scope vulnerabilities before getting started. This information can be found in the respective bug bounty programs listed above.
HOW TO SUBMIT
Visit the MSRC Researcher Portal and follow the instructions to submit your reports.
Microsoft is not responsible for excess, lost, late, or incomplete submissions. If disputed, submissions will be deemed submitted by the “authorized account holder” of the email address used to enter. The “authorized account holder” is the natural person assigned to an email address by an internet or online service provider, or other organization responsible for assigning email addresses.
RESEARCH RULES OF ENGAGEMENT
To maintain the security and integrity of our services, all participants in Microsoft's bounty programs must strictly adhere to the Microsoft Security Testing Rules of Engagement (ROE). These guidelines are crafted to enable security researchers to assess the security of Microsoft Online Assets effectively while ensuring that other customers and infrastructure remain unaffected. For comprehensive details about these rules, please consult the Microsoft ROE website.
If you accidentally access unauthorized data, stop immediately. Notify MSRC with the details, delete the data, and acknowledge this in any bug bounty report. Do not share the accessed information.
PROHIBITED ACTIVITIES
Engaging in the disruption, compromise, access, storage, or damage of data or property without explicit written consent from the owner, or adversely affecting Microsoft services for other users, is strictly prohibited and will result in disqualification. Specific prohibited activities include but are not limited to:
- Accessing customer or Microsoft data and testing customer systems without explicit permission: Any interaction with data or systems that you do not own or have explicit permission to access is prohibited. This includes accessing customer data, Microsoft data, or testing systems that belong to customers.
- Examples: Extracting training data, model architectures, model weights, training code, customer documents, metadata, names, configuration files, system logs, or any other unauthorized data.
- Using credentials or other secrets that are not your own. This includes any credentials or secrets that you do not own, regardless of how they are obtained, including those that were leaked publicly.
- Interacting with storage accounts that are not part of your subscription or that you do not own.
- Performing denial-of-service testing.
- Executing network-intensive fuzzing or automated testing that generates excessive traffic.
- Conducting phishing or social engineering attacks targeting Microsoft employees or using Microsoft services to perform phishing or other social engineering attacks against others.
Please see the specific bounty program for additional details. Even with these restrictions in place, Microsoft retains the authority to respond to any actions conducted on its networks that are deemed malicious in nature.
BOUNTY AWARDS
Researchers who submit eligible submissions will receive bounty awards in the amounts specified in the terms of the relevant bounty program. Once submitted, your submission will be reviewed by the Microsoft Security Response Center to determine if they are eligible for a bounty award, based on the judgment criteria specified in the relevant bounty program.
Bounty awards will be awarded in accordance with the Microsoft Bounty Terms and Conditions.
BOUNTY AWARD BONUSES
Bounty multipliers for the categories below will be applied to valid issues that align with the existing Azure, Copilot, Dynamics 365 and Power Platform, Identity, or M365 Bounty Programs. These bonuses are effective only for the duration of the Research Challenge.
| Security Impact | Amount |
|---|---|
| Critical severity issue in the Azure, Copilot, Dynamics 365 and Power Platform, Identity, and M365 Bounty Programs |
+50%
|
| All existing High Impact Scenarios in the Azure, Dynamics 365 and Power Platform, and M365 Bounty Programs |
+50%
|
*If you submit a valid issue that is eligible for both multipliers, the High Impact Scenario multiplier will apply.
NOTE: Please refer to specific bounty program terms for eligible in-scope vulnerabilities and award amounts. These multipliers are valid only for the Research Challenge. Bounty awards will be awarded in accordance with the Microsoft Bounty Terms and Conditions.
ELIGIBLE SUBMISSIONS
The goal of the bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers using the latest version of the application.
Vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Identify a vulnerability that was not previously reported to or otherwise known by Microsoft.
- The vulnerability must be previously unreported, classified as Critical or Important severity, and must reproduce in one of the in-scope products or services.
- Include clear, concise, and reproducible steps, either in writing or in video format, that provide our engineering team with the information necessary to quickly reproduce, understand, and fix the issues.
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria. For additional details, please refer to the specific Microsoft Azure, Microsoft Copilot, Microsoft Dynamics 365 and Power Platform, Microsoft Identity, and M365 bounty program pages.
USE OF YOUR SUBMISSION
We are not claiming ownership rights to your submission. However, by providing your submission to Microsoft, you grant Microsoft rights to use your submission as provided in the Microsoft Bounty Terms and Conditions. You will not receive any compensation or credit for use of your submission, other than what is described in this page or the bounty program pages linked to above.
By providing your submission to Microsoft, you acknowledge that Microsoft may have developed or commissioned materials similar or identical to your submission and you waive any claims resulting from any similarities to your submission. Further you understand that Microsoft will not restrict work assignments of representatives who have had access to your submission, and you agree that use of information in our representatives’ unaided memories in the development or deployment of our products or services does not create liability for Microsoft under copyright or trade secret law. Microsoft is not obligated to use your submission for any purpose.
QUALIFYING FOR THE ZERO DAY QUEST LIVE HACKING EVENT
The Zero Day Quest Live Hacking Event is an invite-only event extended to up to 45 MSRC security researchers who have either:
- Submitted >1 valid case to the MSRC and received a critical severity or high impact scenario bounty award in the last year that focus on cloud or AI research areas; OR
- qualified based on their submissions to the Zero Day Quest Research Challenge, which runs between August 4 to October 4, 2025. The top researchers, by bounty awarded amount, for cases submitted under the eligible scope during the Research Challenge, will be invited to participate in the Zero Day Quest Live Hacking Event.
RESOURCES FOR PROGRAM PARTICIPANTS
To help you with your Zero Day Quest submissions, check out sessions from the AI Red Team, Microsoft Security Response Center, and Dynamics teams:
- Learn to Red Team AI Systems Using PyRIT
- Microsoft's Bug Bounty Program and AI Research
- Security Research in Copilot Studio
OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES
Please refer to the out-of-scope sections of the Azure, Copilot, Dynamics 365 and Power Platform, Identity, and M365 Bounty Programs.
ADDITIONAL TERMS AND CONDITIONS FOR THE RESEARCH CHALLENGE
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
- If a duplicate report provides us with new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
- If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program.
- Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.
- Participants must adhere to the Code of Conduct in the Microsoft Bounty Program Terms and Conditions.
For questions regarding the Research Challenge and/or Microsoft’s bounty rules, please email bounty@microsoft.com.
REVISION HISTORY
- August 4, 2025: Published the new Zero Day Quest Research Challenge page.