Microsoft Copilot Bounty | MSRC (original) (raw)

PROGRAM DESCRIPTION

The Microsoft Copilot bounty program invites eligible security researchers to discover vulnerabilities in the new, innovative, Microsoft Copilot. Qualified submissions are eligible for bounty awards from 250to250 to 250to30,000 USD. This includes third-party and open-source components included in the service. Please note that qualifying reports must demonstrate a qualifying security impact on the specified service.

ELIGIBLE SUBMISSIONS

The goal of the Microsoft Bug Bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers.

In addition to the eligibility requirements listed on the Bounty Program Guidelines page, vulnerability submissions must meet the following criteria to be eligible for bounty awards:

• Such vulnerability must have a severity level of Critical, Important, or Moderate (as defined by the Microsoft Vulnerability Severity Classification for AI Systems and the Microsoft Vulnerability Severity Classification for Online Services).
• The vulnerability must be reproducible on the latest, fully patched version of the product or service.

We request researchers include the following information to help us quickly assess their submission:

• Submit through the MSRC Researcher Portal.
• Select “Copilot, AI+ML, and LLMs” in the “Product” section of the vulnerability submission.
• Include the conversation ID in the “Steps to reproduce” section of your vulnerability submission.
• To retrieve the conversation ID, enter “/id” as a chat command.
• Describe the attack vector for the vulnerability.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.

SCOPE

Vulnerabilities submitted in the following Product(s) are eligible under this bounty program when tested using a personal account:

• Copilot AI experiences hosted on copilot.microsoft.com and copilot.ai in Browser (all major vendors are supported).
• Copilot AI experiences integrated in Microsoft Edge (Windows), including Copilot Mode.
• Copilot AI experiences in the Microsoft Copilot Application (iOS and Android).
• Copilot AI experiences integrated into the Windows OS, via the Microsoft Copilot Application.
• Copilot AI experiences on WhatsApp and Telegram.

GETTING STARTED

Please follow the guidance below to create a test personal account for security testing and probing. Please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability.

In all cases, where possible, please include the string “MSOBB” in your account name and/or tenant name to identify it as being used for security research.

• Access Microsoft Copilot here and log in or register for a personal account.
• Check out sessions from the AI Red Team and Microsoft Security Response Center:
  • Learn to Red Team AI Systems Using PyRIT
  • Microsoft's Bug Bounty Program and AI Research
  • Security Research in Copilot Studio

BOUNTY AWARDS

Bounty awards range from 250upto250 up to 250upto30,000 USD. Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. If a single submission is eligible for multiple awards, the submission will be awarded the single highest qualifying award.

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix.

OUT-OF-SCOPE SUBMISSIONS AND VULNERABILITIES

Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty award.

If your submission is evaluated as out-of-scope for this individual bounty program, it may still qualify for an award under theStandard Award Policy.

Here are some of the common low-severity or out-of-scope issues that typically do not earn bounty awards:

• Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community.
• Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations.
• Vulnerabilities in OpenAI model should be reported directly to OpenAI.
• AI prompt injection attacks that do not have a security impact on users other than the attacker.
• Model hallucination where the model pretends to run arbitrary code provided to it.
• Attacks that aim to leak (part of) the system/meta prompt.
• Content-related issues as defined by the Microsoft Vulnerability Severity and Content Classifications for AI Systems.
  • Content-related issues can be reported to the MSRC Researcher Portal. In the Security Impact section, select “AI derived harm”.
• Out-of-scope vulnerability types, including:
  • Vulnerabilities requiring physical access to hardware components
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
  • Cookie replay vulnerabilities
  • Sub-Domain Takeovers
  • Denial-of-Service (DoS) attacks
  • Low impact CSRF bugs (such as logoff)
  • Server-side information disclosure such as IPs, server names, and most stack traces. Debug pages and reverse minified JS are also out-of-scope
• Vulnerabilities based on user configuration or action, for example:
  • Vulnerabilities requiring extensive or unlikely user actions
  • Vulnerabilities in user-created content or applications
• Vulnerabilities based on third parties that do not demonstrate a qualifying security impact on the specified service.
  • Vulnerabilities in third-party software provided by Azure, such as gallery images and ISV applications.
• Training, documentation, samples, and community forum sites related to Microsoft Copilot products and services are out-of-scope for bounty awards.

Microsoft reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty.

ADDITIONAL INFORMATION

For additional information, please see our FAQ.

REVISION HISTORY

• October 12, 2023: Program launched.
• April 11, 2024: Updated in scope products to Microsoft Copilot.
• October 2, 2024: Updated in scope products to Copilot AI experiences and Bing generative search.
• November 19, 2024: Increased the bounty award amounts.
• November 26, 2024: Removed “in scope vulnerabilities” section. Please refer to the Microsoft Vulnerability Severity Classification for AI Systems.
• January 21, 2025: Added new vulnerability types to the bounty awards section.
• February 6, 2025: Added Copilot AI experiences on WhatsApp and Telegram to in scope products. Added moderate severity issues to bounty program scope. Added clarifications for the Out-of-Scope Submissions and Vulnerabilities. Renamed this program to the Microsoft Copilot Bounty Program.
• February 27, 2025: Updated Eligible Submissions section; added clarifications for the Out-of-Scope Submissions and Vulnerabilities section.
• March 11, 2025: Added clarification to the In Scope Services and Products & Getting Started sections to direct researchers to use a personal account for Copilot research. Updated the Research Rules of Engagement section. Removed Bing generative search hosted on bing.com from In Scope Services and Products since that redirects to copilot.microsoft.com.
• May 13, 2025: Updated Research Rules of Engagement section.
• May 16, 2025: Updated bounty award table.
• September 16, 2025: Removed Model Manipulation vulnerability type from the Bounty Awards section to align with the Microsoft Vulnerability Severity Classification for AI Systems and updated Out-of-Scope Submissions and Vulnerabilities section.
• October 16, 2025: Updated In Scope Services and Products, removed reference to Copilot Pro, which is no longer offered.
• October 27, 2025: Added reference to Copilot Mode in Edge in In Scope Services and Products.
• December 11, 2025: Updated hyperlinks and standardized language.
• April 7, 2026: Updated Getting Started section.