Microsoft ups the stakes with $5M bug bounty

Zero Day Quest returns: Microsoft ups the stakes with $5M bug bounty

Pierluigi Paganini
August 05, 2025

Microsoft offers up to $5M for Zero Day Quest 2026 bug hacking contest; top researchers join live hacking event after fall 2025 submissions.

Microsoft is bringing back its live hacking contest, Zero Day Quest, in spring 2026, and this time, it’s offering up to $5 million in rewards. The competition will spotlight researchers who uncover serious security flaws in cloud and AI systems. This is the second time the event is being held. In the first one, Microsoft gave out $1.6 million for finding major security flaws.

“This year, Zero Day Quest is back with even more potential bounty awards: up to $5 million total for high-impact research in Cloud and AI security.” reads the announcement published by the tech giant. “This is the largest public hacking event ever, bringing together the top global security researchers for an opportunity to protect the world.”

Microsoft’s Zero Day Quest Live Hacking Event is happening now through April 3! This invite-only opportunity brings together top security researchers to help strengthen the security of Microsoft’s AI and cloud products.

As part of this event, we’re offering exclusive bounty… pic.twitter.com/Km9O8Zr1be

— Security Response (@msftsecresponse) March 5, 2025

From August 4 to October 4, 2025, security researchers can join Microsoft’s Zero Day Quest Research Challenge by submitting vulnerabilities in Azure, Copilot, Dynamics 365, Power Platform, Identity, or M365. Top findings may earn a +50% bounty bonus and a spot at the exclusive Live Hacking Event in spring 2026 at Microsoft’s Redmond campus, where leading experts will collaborate with Microsoft product teams and the Microsoft Security Response Center (MSRC) to advance security.

Microsoft encourages researchers to share their findings publicly after fixes, with support for blogs, podcasts, and videos. As part of its Secure Future Initiative (SFI), Microsoft will disclose critical vulnerabilities through the CVE program, even if no user action is needed. Insights from Zero Day Quest will be shared internally to strengthen cloud and AI security, following SFI’s principles.

“In alignment with our Coordinated Vulnerability Disclosure (CVD), researchers are encouraged to publicly discuss their findings once mitigated – with support from Microsoft through blogs, podcasts, and videos.” concludes the announcement.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zero Day Quest)

Source link