Microsoft Zero Day Quest 2025 (original) (raw)
As announced in the MSRC Blog, Securing AI and cloud with the Microsoft Zero Day Quest, the Microsoft Zero Day Quest invites security researchers to discover and report high-impact vulnerabilities in Microsoft Copilot and Cloud Bounty Programs: Microsoft Azure, Microsoft Identity, M365, and Microsoft Dynamics 365 and Power Platform. This new program provides new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers to share, learn, and build community as we work to keep everyone safe.
This challenge has two distinct opportunities:
- A Research Challenge (open to everyone) – closed on January 19, 2025
- An Onsite Hacking Event (invite only) – closed on April 3, 2025
The Onsite Hacking Event is Microsoft’s inaugural security research-focused event and celebration to be hosted onsite at the Microsoft Campus in Redmond, Washington in 2025. This event will foster new and deepening existing partnerships with MSRC, product teams, and external researchers, raising the security bar for all.
The Zero Day Quest Onsite Hacking event is an invite-only event extended to Microsoft’s top 10 ranked researchers from each of the 2024 Quarterly and 2024 Annual Azure, Dynamics, and Office Leaderboards. An additional 45 researchers will be invited based on their submissions to the research challenge, which is open to everyone.
Full details about the Zero Day Quest Onsite Hacking Event can be found here.
The Research Challenge was open to everyone and ran from 12:00 AM Pacific Time, November 19, 2024, through 11:59 PM Pacific Time, January 19, 2025.
The Research Challenge will be subject to the terms of our bounty program, outlined in the Microsoft Bounty Terms and Conditions,our bounty Safe Harbor policy, and additional terms and conditions for the Research Challenge. First-time researchers are encouraged to review the MSRC Researcher Resource Center as well as the definitions surrounding eligible submissions, in-scope, and out-of-scope vulnerabilities before getting started. This information can be found in the respective bug bounty programs listed below.
Bounty Programs in Scope:
If you discover customer or Microsoft data while conducting your research, or are unclear if it is safe to proceed, please stop and contact us at bounty@microsoft.com. The following are not permitted:
- Gaining access to any data that is not wholly your own.
- For example, you are allowed and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data that is not your own.
- Moving beyond “proof of concept” repro steps for server-side execution issues
- For example, proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not).
- Any kind of Denial of Service testing.
- Performing automated testing of services that generates significant amounts of traffic.
- Attempting phishing or other social engineering attacks against others, including our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services.
- Using our services in a way that violates the terms for that service.
Please see the specific bounty program for additional details. Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.
We are starting off the Research Challenge by permanently doubling all Copilot bounty awards! Please visit the Copilot Bounty Program Page for updated award amounts.
Bounty multipliers for the categories below will be applied to valid, Important or Critical severity issues that align with the existing Azure, Identity, M365, and Dynamics & Power Platform Programs. These bonuses are effective only for the duration of the Research Challenge.
Research Challenge Description
The Research Challenge was open to everyone and ran from 12:00 AM Pacific Time, November 19, 2024, through 11:59 PM Pacific Time, January 19, 2025.
The Research Challenge will be subject to the terms of our bounty program, outlined in the Microsoft Bounty Terms and Conditions, our bounty Safe Harbor policy, and additional terms and conditions for the Research Challenge. First-time researchers are encouraged to review the MSRC Researcher Resource Center as well as the definitions surrounding eligible submissions, in-scope, and out-of-scope vulnerabilities before getting started. This information can be found in the respective bug bounty programs listed below.
Bounty Programs in Scope:
Rules of Engagement
If you discover customer or Microsoft data while conducting your research, or are unclear if it is safe to proceed, please stop and contact us at bounty@microsoft.com. The following are not permitted:
- Gaining access to any data that is not wholly your own.
- For example, you are allowed and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data that is not your own.
- Moving beyond "proof of concept" repro steps for server-side execution issues
- For example, proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not).
- Any kind of Denial of Service testing.
- Performing automated testing of services that generates significant amounts of traffic.
- Attempting phishing or other social engineering attacks against others, including our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services.
- Using our services in a way that violates the terms for that service.
Please see the specific bounty program for additional details. Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.
Bounty Award Bonuses (closed)
We are starting off the Research Challenge by permanently doubling all Copilot bounty awards! Please visit the Copilot Bounty Program Page for updated award amounts.
Bounty multipliers for the categories below will be applied to valid, Important or Critical severity issues that align with the existing Azure, Identity, M365, and Dynamics & Power Platform Programs. These bonuses are effective only for the duration of the Research Challenge.
Bounty Multipliers
| Vulnerability Category | Bonus |
|---|---|
| Critical and Important severity Remote Code Execution | +50% |
| Critical and Important severity Elevation of Privilege | +50% |
| All existing High Impact Scenarios on the Azure Bounty Program | +50% |
| All existing High Impact Scenarios on the Microsoft Dynamics 365 and Power Platform Bounty Program | +50% |
| All existing High Impact Scenarios on the M365 Bounty Program | +50% |
*If you submit a valid issue that is eligible for both General Award multipliers and High Impact Scenario multipliers, then you will receive the High Impact Scenario multiplier.
NOTE: Please refer to specific bounty program terms for eligible in-scope vulnerabilities and reward amounts. These multipliers are valid only for the Research Challenge.