This is the Trace Id: 56f4cf159594d7b078b298dab9d325c2
Skip to main content
MSRC

Security Partnerships: Clear Scope. Big Awards.

Microsoft Bug Bounty Program

Partner with Microsoft to strengthen our products and services by identifying and reporting security vulnerabilities that could impact our customers. Under Coordinated Vulnerability Disclosure (CVD), we recognize and award findings that demonstrate significant security impact.

IMPORTANT: The Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions, Microsoft Bounty Legal Safe Harbor, Rules of Engagement, Bounty Program Guidelines, and those program rules listed on each individual bounty program page.

Report a Security Vulnerability

Key things to know before you submit

High impact, high-quality, high awards

Submissions that include clear reproduction steps, proof-of-concept code, and detailed analysis help us validate quickly and reduce risk faster. High-quality reports not only accelerate triage—they qualify for higher awards because they demonstrate measurable impact and enable timely fixes that protect customers. Please find examples here.

Focus on new and unique vulnerabilities

We value findings that uncover gaps missed during development and meaningfully improve security. If you are the first to identify a vulnerability that affects Microsoft products or services, your contribution matters—even if we are already working on a fix. Reports that reduce real-world risk and strengthen customer trust earn the highest recognition.

Follow Coordinated Vulnerability Disclosure

CVD is the foundation of trust. Report vulnerabilities privately and allow time for remediation before public disclosure. Adhere to our Rules of Engagement and program scope to ensure eligibility for awards. Working together under CVD principles helps us fix issues quickly, protect customers, and recognize your contributions responsibly.

Work within the Rules of Engagement

Responsible testing means avoiding harm. Do not access, modify, or exfiltrate customer data. Never disrupt services or compromise uptime. If you encounter sensitive information or are unsure whether an action is safe, stop immediately and contact us. Our priority is protecting customers while enabling research that improves security.

Let the hunt begin!

Earn up to $250,000 USD in bug bounty awards

Cloud Programs

Up to $100,000 USD

Explore Cloud Programs

Endpoint & On-Prem Programs

Up to $250,000 USD

Explore Endpoint & On-Prem Programs

Zero Day Quest

Up to $100,000 USD

Explore Zero Day Quest