Microsoft Zero Day Quest

 

The goal of the bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers using the latest version of the application.

Vulnerability submissions must meet the following criteria to be eligible for bounty awards:

• Identify a vulnerability that was not previously reported to, or otherwise known by, Microsoft.
• Such vulnerability must be of previously unreported Critical or Important severity and must reproduce in one of the in-scope products or services.
• Include clear, concise, and reproducible steps, either in writing or in video format, providing our engineering team with the information necessary to quickly reproduce, understand, and fix the issues

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria. For additional details, please refer to the specific Microsoft AI, Microsoft Azure, Microsoft Identity, M365, and Microsoft Dynamics 365 and Power Platform bounty program page.

The Onsite Hacking Event is Microsoft’s inaugural security research-focused event and celebration to be hosted onsite at the Microsoft Campus in Redmond, Washington in 2025. This event will foster new and deepening existing partnerships with MSRC, product teams, and external researchers, raising the security bar for all.

The Zero Day Quest Hacking event is an invite-only event extended to Microsoft’s top 10 ranked researchers from each of the 2024 Annual Azure, Dynamics, and Office Leaderboards. An additional 45 researchers will be invited based on their submissions to the research challenge, which is open to everyone.

The Research Challenge provides an opportunity for researchers to earn an invitation to the event, whether it’s your 100^th time submitting to the MSRC or your 1^st.

Additional scope and bounty multipliers for the Onsite Hacking Event will be provided at a later date.

The Top 45 researchers, by bounty awarded amount, for cases submitted under the eligible scope during the Research Challenge, will earn their way to the Onsite Zero Day Quest event in Redmond, Washington. Vulnerabilities must be found in the published bounty scope for AI, Azure, Identity, M365, Dynamics & Power Platform Bounty Programs in order to qualify.

Invited researchers will receive the following:

• Round-trip economy airfare from major airport closest to winner’s home
• 5 nights standard hotel accommodations.
• Transportation to/from airport/hotel.

The total Approximate Retail Value (ARV) of this travel award is: $5,000 USD

Submit through the MSRC Researcher Portal and follow the instructions.

To help you with your AI bounty submissions, we are offering an opportunity to expand your bug finding skills for AI systems specifically. Microsoft’s AI Red Team has developed PyRIT (Python Risk Identification Toolkit for Generative AI), an open-source red team automation framework. PyRIT is a powerful supplement to manual testing efforts.

During the session, attendees will learn how to effectively utilize PyRIT for researching failures and bugs in generative AI systems. This includes setting up targets, leveraging datasets, exploring various attack strategies, and utilizing the memory functionality. This session offers an opportunity to learn from industry’s best practices on empowering researchers and may help you qualify for the Onsite Zero Day Hacking Event. 

Join us for the training on December 2, 2025, at 9:30 am PST. Please register at https://aka.ms/AIRedTeamTraining.

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES

Please refer to the out-of-scope sections of the following bounty programs, AI, Azure, Identity, M365, Dynamics & Power Platform. 

• If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
• If a duplicate report provides us with new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission. 
• If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program.
• Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.
• If the Onsite Hacking Event is canceled for any reason, Microsoft will not seek reimbursement for any travel expenses.
• If any of the 45 participants selected to advance to the OnSite Hacking Event in Redmond, WA are minors in their legal place of residence, they will be required to travel with a parent/legal guardian. Travel subject to availability and must be completed on dates specified by Microsoft or the opportunity will be forfeited and awarded to the next runner up. Any expenses not described above are the responsibility of the traveler(s) including but not limited to taxes, ground transportation, gratuities, and room charges. Winner and any guests must travel on same itinerary. If included, winner’s travel companion must execute a Liability/Publicity Release prior to issuance of travel documents. If included, travel companion must be the age of majority in their legal place of residence, or the parent/legal guardian of the winner. Winner and any guests are responsible for providing all required travel documents, including, but not limited to government issued ID, Visa, or Passport. Once made, no cancellation or change of reservation allowed. If winner lives within 300 miles of travel destination, Sponsor reserves the right to provide alternative transportation. Actual value depends on date/time/destination, and difference between actual value and stated value will not be awarded.
• For questions regarding the Research Challenge and/or Microsoft’s bounty rules, please email bounty@microsoft.com.
• For questions regarding the Onsite Hacking Event or to find out who won, please email bluehat@microsoft.com with the subject line “Microsoft Zero Day Quest Onsite Hacking Event.”

REVISION HISTORY

November 19, 2024: The Zero Day Quest Research Challenge launched.