Hackers and security researchers who uncover vulnerabilities in certain Microsoft products could take home part of a $4 million bug bounty.
On Tuesday, the company announced a new invitation-only hacking event called Zero Day Quest. Touted as the largest of its kind, the event will invite top-ranked researchers to discover and report high-impact security flaws. Microsoft also announced a research challenge that is open to anyone.
Also: Microsoft to tighten Windows security dramatically in 2025 – here’s how
The research challenge will start today and run until January 19, 2025. Part of Microsoft’s AI Bounty Program, this challenge encourages people to hunt for bugs in Microsoft AI, Microsoft Azure, Microsoft Identity, M365, and Microsoft Dynamics 365 and Power Platform.
Before diving in, first-time researchers and other curious parties should check out the MSRC Researcher Resource Center to learn how to submit security vulnerabilities to Microsoft.
Zero Day Quest is scheduled to be held in 2025 at Microsoft’s campus in Redmond, Washington. Microsoft’s top 10 ranked researchers from each of the 2024 Annual Azure, Dynamics, and Office Leaderboards will be able to attend the hacking event. Another 45 researchers will be accepted based on the quality of their submissions to the research challenge.
Also: Microsoft’s new mini PC is designed for the office. Here’s what it can do
Those invited will get round-trip economy airfare, a five-night hotel stay, transportation between the airport and hotel, and the chance to take home a hefty bug bounty. With $4 million ready to dole out, Microsoft will award researchers who uncover flaws in areas including:
- Critical and important severity Remote Code Execution
- Critical and important severity Elevation of Privilege
- High-impact scenarios on the Azure Bounty Program
- High-impact scenarios on the Microsoft Dynamics 365 and Power Platform Bounty Program
- High-impact scenarios on the M365 Bounty Program
Beyond the hefty bug bounties, Microsoft will also offer qualifying researchers a chance to work with its engineers and security experts.
Also: How to upgrade an ‘incompatible’ Windows 10 PC to Windows 11: Two ways
“To advance AI security, starting today we will offer double AI bounty awards,” Tom Gallagher, VP of Engineering at Microsoft Security Response Center, said in the blog post. “We will also offer researchers direct access to the Microsoft AI engineers focused on developing secure AI solutions, and our AI Red Team. This unique opportunity will allow participants to enhance their skills with cutting-edge tools and techniques and work with Microsoft to raise the bar for AI security across the ecosystem.”
How to qualify
What will it take for you to qualify? The goal of the bounty program is to find important security flaws that directly impact the security of Microsoft users, so you’ll need to identify a vulnerability not previously reported or known to Microsoft. The vulnerability must be considered Critical or Important in severity and must be reproducible.
Finally, you’ll have to provide clear steps in writing or video showing Microsoft engineers how to reproduce and fix the bug.
