Secure research starts with responsible testing.

As announced in the MSRC blog, Microsoft Zero Day Quest invites security researchers to discover and report high-impact vulnerabilities in Microsoft Azure, Microsoft Azure DevOps, Microsoft Defender, Microsoft Dynamics 365 and Power Platform, Microsoft Identity, M365, Microsoft Copilot, and Microsoft 365 Copilot Bounty Programs. Zero Day Quest provides new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers to share, learn, and build community as we work to keep everyone safe.

This challenge has two distinct opportunities:

• A Research Challenge (open to everyone)
• A Live Hacking Event (invite only)

The Live Hacking Event is Microsoft’s celebration of security research, hosted at Microsoft’s Redmond campus in March 2026. This event will foster new partnerships and strengthen existing ones among MSRC, product teams, and external researchers, raising the security bar for all.

Full details about the Zero Day Quest Research Challenge can be found here.

NOTE: Researchers who have not received an invitation to this event are not eligible for the awards listed below. 

The Zero Day Quest Live Hacking Event is an invite-only event extended to up to 45 MSRC security researchers who have either:

• Submitted >1 valid case to the MSRC and received a critical severity or high impact scenario bounty award since July 1, 2024, that focus on cloud or AI research areas; OR
• qualified based on their submissions to the Zero Day Quest Research Challenge, which ran from August 4 to October 4, 2025. The top researchers, by bounty awarded amount, for cases submitted under the eligible scope during the Research Challenge, were invited to participate in the Zero Day Quest Live Hacking Event.

The Zero Day Quest Live Hacking Event is invite-only and runs from 12:00 AM Pacific Time, February 17, 2026, through 11:59 PM Pacific Time, March 18, 2026.

First-time researchers are encouraged to review the MSRC Researcher Resource Center as well as the definitions surrounding eligible submissions, in-scope, and out-of-scope vulnerabilities before getting started. This information can be found in the respective bug bounty programs listed below. 

Bounty Programs in Scope:

• Microsoft Azure
• Microsoft Azure DevOps
• Microsoft Defender
• Microsoft Dynamics 365 and Power Platform
• Microsoft Identity
• M365
• Microsoft Copilot
• Microsoft 365 Copilot

Visit the MSRC Researcher Portal and follow the instructions to submit your reports.

In order to be eligible to receive a bounty award, you must include the following in your submissions:

• Targeted bonus categories or flash challenges

Microsoft is not responsible for excess, lost, late, or incomplete submissions. If disputed, submissions will be deemed submitted by the “authorized account holder” of the email address used to enter. The “authorized account holder” is the natural person assigned to an email address by an internet or online service provider, or other organization responsible for assigning email addresses.

Researchers who submit eligible submissions will receive bounty awards in the amounts specified in the terms of the relevant bounty program. Once submitted, your submission will be reviewed by the Microsoft Security Response Center to determine if they are eligible for a bounty award, based on the judgment criteria specified in the relevant bounty program.

Bounty awards will be awarded in accordance with the Microsoft Bounty Terms and Conditions.

*If you submit a valid issue that is eligible for both General Award multipliers and High Impact Scenario multipliers, then you will receive the High Impact Scenario multiplier.

NOTE: Please refer to specific bounty program terms for eligible in-scope vulnerabilities and reward amounts. These multipliers are valid only for the invite-only Zero Day Quest Live Hacking Event.

Target Information:

• Targets in-scope of identity services
• Challenges researchers to demonstrate cross-tenant or cross-user access by demonstrating access to the following account:
  • Email: victim@zdqnexus.onmicrosoft.com
  • OID: d97914a3-8886-433b-b232-988d6f233e9d 
  • TID: 5eef8d9d-1602-48b4-8646-49735e662fc9

Scenario:

• Authentication Bypass – Cross-Tenant | $250,000
  • Demonstrate a full account takeover that can be used on the user account.
  • Achieve authentication and satisfy MFA requirements for the targeted user, being able to access all applications and data.
     
• Authorization Bypass - Within Tenant | $100,000
  • Demonstrate a full account takeover that can be used on an account inside your tenant. 
  • Achieve authentication and satisfy MFA requirements for the targeted user, being able to access all applications and data.

Out of Scope

• Please refer to the out-of-scope section for the Identity Bounty Program, in addition to the following: 
  • Cross-Site Scripting Vulnerabilities
  • Cross-Site Request Forgery Vulnerabilities
  • HTTP Request Smuggling Vulnerabilities
  • Vulnerabilities that do not result in full, unrestricted authentication (e.g. a singular system is vulnerable or impacted)
  • Vulnerabilities that require any user interaction or significant preconditions
  • Vulnerabilities that are the result of a third party (e.g. external SAML implementations)
  • Vulnerabilities that do not bypass MFA
  • Vulnerabilities that only impact a subset of user accounts
  • Vulnerabilities that only impact consumer systems (MSA)

Target Information:

• Targets Microsoft Global Secure Access (GSA) and evaluates whether adversaries can break its core security promise.
• GSA Quickstart, licenses for Microsoft Entra Suite and Microsoft 365 E5 have been shared with you.
  

Scenario:

• Authorization Bypass – Access another tenant backend resources | $75,000
  • Demonstrate that you are able to route traffic to another tenant’s backend resource using Microsoft Entra Private Access.
• Remote Code Execution (RCE) – Achieve RCE on a backend GSA traffic processing node | $75,000
  • Demonstrate an RCE vulnerability that impacts a GSA node processing traffic.
• Authorization Bypass – Modify another tenants GSA policies or configuration | $50,000
  • Demonstrate a vulnerability that allows you to modify another tenants GSA routing tables/policies or traffic configurations.
    

Out of Scope

• Please refer to the out-of-scope section for the Identity Bounty Program, in addition to the following: 
  • Cross-Site Scripting Vulnerabilities
  • Cross-Site Request Forgery Vulnerabilities

Target Information:

• SafeLinks API - demonstrate remote code execution as an unauthenticated user via SafeLinks API.
• Tenant setup: Microsoft 365 E5 licenses (including MDO Plan 1/Plan 2) with URL and SafeLinks click protection settings enabled in policy.

User Roles:

• Security administrator and regular user

Set up Instructions:

• Customer/Product Documentation: Why do I need Microsoft Defender for Office 365? | Microsoft Learn
• Deploy MDO: Get started with Microsoft Defender for Office 365 | Microsoft Learn
• Configure SafeLinks in MDO: Complete Safe Links overview for Microsoft Defender for Office 365 - Microsoft Defender for Office 365 | Microsoft Learn
  Set up Safe Links policies in Microsoft Defender for Office 365 - Microsoft Defender for Office 365 | Microsoft Learn
• Manage tenant allow block list for URLs: Manage allows and blocks in the Tenant Allow/Block List - Microsoft Defender for Office 365 | Microsoft Learn

Scenario:

• Remote Code Execution – Unauthenticated SafeLinks API | $100,000    
  • Demonstrate remote code execution by interacting directly with SafeLinks API endpoints as an unauthenticated attacker.    

• Remote Code Execution – Authenticated SafeLinks bypass using integrated apps | $50,000
  • Demonstrate unsafe execution paths through SafeLinks-integrated applications (Office apps, Teams, M365 Copilot) as an authenticated Microsoft 365 user.

Out of Scope:

• Please refer to the out-of-scope section for the Microsoft Defender Bounty Program page, in addition to the following out-of-scope vulnerability types include: Cross-Site Scripting (XSS), on-premises deployments, vulnerabilities that require user interaction to trigger, and issues in third-party software. 

Target Information

• Users in this tenant have Microsoft 365 Standard and Business Premium licenses. 

• Your credentials and high-level tenant details will be emailed to you directly!  

Scenarios

• Remote Code Execution – Unauthenticated Deserialization of Untrusted Data | $100,000
  • As an unauthenticated user, demonstrate one of the following actions:
    • Launch a process on a backend server 
    • Return environment variables from the current process 
    • Get a list of running processes on the server 

• Remote Code Execution – Authenticated Deserialization of Untrusted Data bypassing Unsafe Controls | $50,000
  • As an authenticated user, demonstrate one of the following actions: 
    • Launch a process on a backend server 
    • Return environment variables from the current process 
    • Get a list of running processes on the server 

• Cross-tenant authorization/authentication bypass | $100,000
  • Starting as a user outside the following tenant, access the contents of the document at this URL: https://a830edad9050849zdq2026b.sharepoint.com/Shared%20Documents/087b7623-dcdf-4b47-950d-4fd1db0879b7.docx  

• Within-tenant authorization bypass | $50,000
  • Starting as a user within the following tenant (you will be emailed credentials), access the contents of the document at this URL: https://testtenant102398-my.sharepoint.com/:w:/r/personal/random22_testtenant102398_onmicrosoft_com/_layouts/15/doc.aspx?sourcedoc={18646099-fae9-41ec-9599-bbee5ccddee1}

• Arbitrary File Read/Write | $25,000
  • Write a file to the file system of a SharePoint Online datacenter server with the following file name: c58a1d94-0745-4b9b-8d68-926af41cb501.abc 
  • Read a file from the file system of a SharePoint Online datacenter server. These must be internal system files, such as web.config. 

• High-privileged Entra token leak | $25,000
  • Capture an Entra token issued to a Microsoft first-party application that grants app-only access to SharePoint content, directly or through MS Graph. This must be a token issued to an app owned by Microsoft, not an app that you developed yourself.
  • Entra tokens can be decoded at https://jwt.ms. An app-only token has these properties:
    • No xms_spcu claim
    • One or more of the following:
      • idtyp claim = "app"
      • oid claim value matches the sub claim value
      • ver claim = "service_asserted_app_v1"
  • For direct SharePoint access
    • aud claim = "00000003-0000-0ff1-ce00-000000000000"
  • For SharePoint content access via MS Graph
    • aud claim = "https://graph.microsoft.com/"
    • Roles claim contains any Sites.* or Files.* roles

Out of Scope

Please refer to the out-of-scope section for the M365 Bounty Program, in addition to the following types of submissions, which are not eligible for a bounty described above:  

• Cross Site Scripting vulnerabilities 

• Vulnerabilities found in on-prem versions of the application 

• Vulnerabilities requiring user interaction or significant preconditions 

• Vulnerabilities relying on third party code or extensions 

Target Information 

• Microsoft 365 Copilot using a work or school account 

Scenario

• Accessing another user’s file that you should not have access to within the same tenant | $100,000
  • Starting as User A within your tenant, create a document containing an obscure flag and label it “Highly Confidential – Recipients Only.” Grant User B read-only access to this document. Then, using a separate identity (User C), attempt to access the contents of the document using Microsoft 365 Copilot.

Out of Scope

Please refer to the out-of-scope section for the Microsoft 365 Copilot Bounty Program, in addition to the following types of submissions, which are not eligible for a bounty described above:  

• Cross Site Scripting vulnerabilities 
• Vulnerabilities requiring user interaction or significant preconditions 
• Vulnerabilities relying on third party code or extensions 

• Cross Site Scripting vulnerabilities in the Azure and Dynamics 365 and Power Platform Bounty Programs.
• Vulnerabilities in Confidential Compute.

Services will be awarded under existing Bounty Programs, but not eligible for multipliers or count towards the bounty leaderboard for this event.

Microsoft will coordinate and book round-trip economy airfare for eligible participants through our designated travel agency. Travel will be arranged from the major airport closest to the participant’s home and is subject to the following conditions:

• Microsoft will cover the base fare and standard taxes only, up to $2,000 USD for international travel and up to $750 USD for travel within North America (including Canada and Mexico). 
• Optional add-ons, including seat upgrades, baggage fees, early boarding, lounge access, preferred seating, and other ancillary charges, are not covered
• Participants who live within 300 miles of the event location may be provided with alternative transportation instead of airfare. The mode of travel will be determined by Microsoft.
• Participants are responsible for securing all required travel documents, including but not limited to government-issued ID, visa, or passport. Microsoft cannot book travel until all required documents are obtained.
• Once travel has been booked through Microsoft’s travel agency, no changes or cancellations can be made.
• Travel must occur on the dates specified by Microsoft. Failure to travel on the approved itinerary may result in forfeiture of the event invitation.

Additional information about the travel booking process will be provided directly to invited participants when arrangements begin.

To maintain the security and integrity of our services, all participants in Microsoft's bounty programs must strictly adhere to the Microsoft Security Testing Rules of Engagement (ROE). These guidelines are crafted to enable security researchers to assess the security of Microsoft Online Assets effectively while ensuring that other customers and infrastructure remain unaffected. For comprehensive details about these rules, please consult the Microsoft ROE website.

If you accidentally access unauthorized data, stop immediately. Notify MSRC with the details, delete the data, and acknowledge this in any bug bounty report. Do not share the accessed information.

If you attempt or we have strong reason to believe that you have compromised the integrity or the legitimate operation of the Live Hacking Event by cheating, hacking, creating a bot or other automated program, or by committing fraud in any way, Microsoft may (a) disqualify you from participation in the Live Hacking Event, (b) seek damages from you to the full extent of the law and (c) ban you from participation in future Microsoft events and programs.