Microsoft Zero Day Quest Live Hacking Event

As announced in the MSRC blog, Microsoft Zero Day Quest invites security researchers to discover and report high-impact vulnerabilities in Microsoft Azure, Microsoft Copilot, Microsoft Dynamics 365 and Power Platform, Microsoft Identity, and M365 Bounty Programs. Zero Day Quest provides new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers to share, learn, and build community as we work to keep everyone safe.

This challenge has two distinct opportunities:

• A Research Challenge (open to everyone)
• A Live Hacking Event (invite only)

The Live Hacking Event is Microsoft’s annual celebration of security research, hosted at Microsoft’s Redmond campus in Spring 2026. This event will foster new partnerships and strengthen existing ones among MSRC, product teams, and external researchers, raising the security bar for all.

Full details about the Zero Day Quest Research Challenge can be found here.

The Zero Day Quest Live Hacking Event is an invite-only event extended to up to 45 MSRC security researchers who have either:

• Submitted >1 valid case to the MSRC and received a critical severity or high impact scenario bounty award in the last year that focus on cloud or AI research areas; OR
• qualified based on their submissions to the Zero Day Quest Research Challenge, which runs between August 4 to October 4, 2025. The top researchers, by bounty awarded amount, for cases submitted under the eligible scope during the Research Challenge, will be invited to participate in the Zero Day Quest Live Hacking Event.

Visit the MSRC Researcher Portal and follow the instructions to submit your reports.

Microsoft is not responsible for excess, lost, late, or incomplete submissions. If disputed, submissions will be deemed submitted by the “authorized account holder” of the email address used to enter. The “authorized account holder” is the natural person assigned to an email address by an internet or online service provider, or other organization responsible for assigning email addresses.

Researchers who submit eligible submissions will receive bounty awards in the amounts specified in the terms of the relevant bounty program. Once submitted, your submission will be reviewed by the Microsoft Security Response Center to determine if they are eligible for a bounty award, based on the judgment criteria specified in the relevant bounty program.

Bounty awards will be awarded in accordance with the Microsoft Bounty Terms and Conditions.

Microsoft will coordinate and book round-trip economy airfare for eligible participants through our designated travel agency. Travel will be arranged from the major airport closest to the participant’s home and is subject to the following conditions:

• Microsoft will cover the base fare and standard taxes only, up to $2,000 USD for international travel and up to $750 USD for travel within North America (including Canada and Mexico). 
• Optional add-ons, including seat upgrades, baggage fees, early boarding, lounge access, preferred seating, and other ancillary charges, are not covered
• Participants who live within 300 miles of the event location may be provided with alternative transportation instead of airfare. The mode of travel will be determined by Microsoft.
• Participants are responsible for securing all required travel documents, including but not limited to government-issued ID, visa, or passport. Microsoft cannot book travel until all required documents are obtained.
• Once travel has been booked through Microsoft’s travel agency, no changes or cancellations can be made.
• Travel must occur on the dates specified by Microsoft. Failure to travel on the approved itinerary may result in forfeiture of the event invitation.

Additional information about the travel booking process will be provided directly to invited participants when arrangements begin.

To maintain the security and integrity of our services, all participants in Microsoft's bounty programs must strictly adhere to the Microsoft Security Testing Rules of Engagement (ROE). These guidelines are crafted to enable security researchers to assess the security of Microsoft Online Assets effectively while ensuring that other customers and infrastructure remain unaffected. For comprehensive details about these rules, please consult the Microsoft ROE website.

If you accidentally access unauthorized data, stop immediately. Notify MSRC with the details, delete the data, and acknowledge this in any bug bounty report. Do not share the accessed information.

Engaging in the disruption, compromise, access, storage, or damage of data or property without explicit written consent from the owner, or adversely affecting Microsoft services for other users, is strictly prohibited and will result in disqualification. Specific prohibited activities include but are not limited to:

• Accessing customer or Microsoft data and testing customer systems without explicit permission: Any interaction with data or systems that you do not own or have explicit permission to access is prohibited. This includes accessing customer data, Microsoft data, or testing systems that belong to customers.
  • Examples: Extracting training data, model architectures, model weights, training code, customer documents, metadata, names, configuration files, system logs, or any other unauthorized data.
• Using credentials or other secrets that are not your own. This includes any credentials or secrets that you do not own, regardless of how they are obtained, including those that were leaked publicly.
• Interacting with storage accounts that are not part of your subscription or that you do not own.
• Performing denial-of-service testing.
• Executing network-intensive fuzzing or automated testing that generates excessive traffic.
• Conducting phishing or social engineering attacks targeting Microsoft employees or using Microsoft services to perform phishing or other social engineering attacks against others.

Please see the specific bounty program for additional details. Even with these restrictions in place, Microsoft retains the authority to respond to any actions conducted on its networks that are deemed malicious in nature.