Microsoft will offer up to $5 million in bounty awards at this year’s Zero Day Quest hacking contest, which the company describes as the “largest hacking event in history.”
Last year’s Zero Day Quest has also generated significant participation from the security community, following Microsoft’s offer of $4 million in rewards for vulnerabilities in cloud and AI products and platforms. After the November hacking competition concluded, Microsoft announced that it had paid $1.6 million, having received more than 600 vulnerability submissions.
For this year’s competition, Redmond has increased the prize pool to $5 million, with a focus on addressing security issues in cloud computing and artificial intelligence.
Between August 4 and October 4, 2025, Microsoft will accept submissions as part of a research challenge open to all security researchers, with participants also eligible for multiplied bounty payouts for reporting critical vulnerabilities.
“To recognize and reward the most impactful research, we are offering +50% bounty multiplier for Critical severity vulnerabilities and high-impact scenarios discovered during the Research Challenge that align with the new and existing Microsoft Azure, Copilot, Dynamics 365 and Power Platform, Identity, or M365 Bounty Programs,” Microsoft said. “If your submission qualifies for both general and high-impact multipliers, the higher value applies.”
Top-performing researchers will qualify for a live hacking event at Microsoft’s Redmond campus in Spring 2026. The invitation-only competition will bring together leading security researchers to collaborate directly with the Microsoft Security Response Center and Microsoft product teams.
The company also plans to support participants through training sessions from its AI Red Team, MSRC, and Dynamics teams covering AI system testing, bug bounty programs, and security research methodologies.
The contest is part of Microsoft’s Secure Future Initiative (SFI), a cybersecurity engineering effort launched in November 2023, following a report from the Cyber Safety Review Board of the U.S. Department of Homeland Security, which stated that the company’s security culture was “inadequate and requires an overhaul.”
“As part of our Secure Future Initiative (SFI), we will transparently share critical vulnerabilities through the CVE program, even if no customer action is required,” Microsoft said. “Learnings from the Zero Day Quest will be shared across Microsoft to help improve Cloud and AI security in alignment with SFI’s core principles: securing by default, by design, and in operations.”
On Friday, Microsoft also revealed that it has increased rewards to $40,000 for some .NET and ASP.NET Core vulnerabilities and expanded its .NET bug bounty program.
Earlier this year, the company also announced increased bounty awards of up to $30,000 for Power Platform and Dynamics 365 AI vulnerabilities, as well as higher payouts for moderate-severity Microsoft Copilot (AI) security flaws. Additionally, a 100% award multiplier was introduced for all Copilot bounty awards to incentivize AI research.
Malware targeting password stores surged 3X as attackers executed stealthy Perfect Heist scenarios, infiltrating and exploiting critical systems.
Discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
