Headline
Zero Day Quest 2025: $1.6 million awarded for vulnerability research
This month, the Microsoft Security Response Center recently welcomed some of the world’s most talented security researchers at Microsoft’s Zero Day Quest, the largest live hacking competition of its kind. The inaugural event challenged the security community to focus on the highest-impact security scenarios for Copilot and Cloud with up to $4 million in potential awards.
This month, the Microsoft Security Response Center recently welcomed some of the world’s most talented security researchers at Microsoft’s Zero Day Quest, the largest live hacking competition of its kind. The inaugural event challenged the security community to focus on the highest-impact security scenarios for Copilot and Cloud with up to $4 million in potential awards.
We’re excited to share that we received more than 600 vulnerability submissions and awarded more than $1.6 million during the qualifying research challenge and live event. Our team is continuing to evaluate potential vulnerabilities and mitigate where necessary.
During the qualifying rounds, researchers submitted their work for a chance to attend the event in person and earn additional incentives beyond our regular bug bounty awards. A select group of researchers then dug in even further in Redmond and online for the live event where they worked on capture-the-flag challenges in Microsoft products, attended social events, and held technical discussions with the Microsoft security teams.
Nearly 100 researchers also participated in our training sessions, which included AI bug hunting with our AI Red Team, SSRF training with our engineering team, and tips and advice from the bounty team.
Following the success of this inaugural event, today we are making two key investments to deepen our partnership with the research community:
The 100% award multiplier for all Copilot bounty awards will remain active. This will continue to incentivize AI research through additional payments for high-impact research. Learn more on our Copilot bounty program page.
Zero Day Quest will return annually with new research challenges, bounty multipliers, and deeper collaboration between Microsoft product engineering teams, Microsoft security teams, and the security research community.
The Zero Day Quest is part of Microsoft’s broader bug bounty program, which awarded more than $16 million in 2023 to researchers who responsibly reported vulnerabilities and helped us address them before they could impact our customers. While we ask the research community to follow Coordinated Vulnerability Disclosure (CVD), we also encourage public writeups after mitigation to support continued learning. As part of our Secure Future Initiative (SFI) and our commitment to transparency, we will issue CVEs for all critical issues. Learnings from this and future events will also be shared across Microsoft to help improve cloud and AI security - by default, by design, and in operations. You can read more about our Secure Future Initiative in our latest progress report.
We look forward to our continuing partnership with the security community as we all work together to raise the security bar for everyone.
Tom Gallagher
VP of Engineering, Microsoft Security Response Center (MSRC)