Zero Day Quest Live Hacking Event (original) (raw)
OVERVIEW
As announced in the MSRC blog, Microsoft Zero Day Quest invites security researchers to discover and report high-impact vulnerabilities in Microsoft Azure, Microsoft Azure DevOps, Microsoft Defender, Microsoft Dynamics 365 and Power Platform, Microsoft Identity, M365, Microsoft Copilot, and Microsoft 365 Copilot Bounty Programs. Zero Day Quest provides new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers to share, learn, and build community as we work to keep everyone safe.
This challenge has two distinct opportunities:
- A Research Challenge (open to everyone)
- A Live Hacking Event (invite only)
The Live Hacking Event is Microsoft’s celebration of security research, hosted at Microsoft’s Redmond campus in March 2026. This event will foster new partnerships and strengthen existing ones among MSRC, product teams, and external researchers, raising the security bar for all.
Full details about the Zero Day Quest Research Challenge can be found here.
NOTE: Researchers who have not received an invitation to this event are not eligible for the awards listed below.
QUALIFYING FOR THE ZERO DAY QUEST LIVE HACKING EVENT
The Zero Day Quest Live Hacking Event is an invite-only event extended to up to 45 MSRC security researchers who have either:
- Submitted >1 valid case to the MSRC and received a critical severity or high impact scenario bounty award since July 1, 2024, that focus on cloud or AI research areas; OR
- qualified based on their submissions to the Zero Day Quest Research Challenge, which ran from August 4 to October 4, 2025. The topresearchers, by bounty awarded amount, for cases submitted under the eligible scope during the Research Challenge, were invited to participate in the Zero Day Quest Live Hacking Event.
LIVE HACKING EVENT SCOPE
The Zero Day Quest Live Hacking Event is invite-only and runs from 12:00 AM Pacific Time, February 17, 2026, through 11:59 PM Pacific Time, March 18, 2026.
First-time researchers are encouraged to review the MSRC Researcher Resource Center as well as the definitions surrounding eligible submissions, in-scope, and out-of-scope vulnerabilities before getting started. This information can be found in the respective bug bounty programs listed below.
Bounty Programs in Scope:
- Microsoft Azure
- Microsoft Azure DevOps
- Microsoft Defender
- Microsoft Dynamics 365 and Power Platform
- Microsoft Identity
- M365
- Microsoft Copilot
- Microsoft 365 Copilot
HOW TO SUBMIT
Visit the MSRC Researcher Portal and follow the instructions to submit your reports.
In order to be eligible to receive a bounty award, you must include the following in your submissions:
- Targeted bonus categories or flash challenges
Microsoft is not responsible for excess, lost, late, or incomplete submissions. If disputed, submissions will be deemed submitted by the “authorized account holder” of the email address used to enter. The “authorized account holder” is the natural person assigned to an email address by an internet or online service provider, or other organization responsible for assigning email addresses.
BOUNTY AWARDS
Researchers who submit eligible submissions will receive bounty awards in the amounts specified in the terms of the relevant bounty program. Once submitted, your submission will be reviewed by the Microsoft Security Response Center to determine if they are eligible for a bounty award, based on the judgment criteria specified in the relevant bounty program.
Bounty awards will be awarded in accordance with the Microsoft Bounty Terms and Conditions.
BOUNTY AWARD MULTIPLIERS
*If you submit a valid issue that is eligible for both General Award multipliers and High Impact Scenario multipliers, then you will receive the High Impact Scenario multiplier.
NOTE: Please refer to specific bounty program terms for eligible in-scope vulnerabilities and reward amounts. These multipliers are valid only for the invite-only Zero Day Quest Live Hacking Event.
| Vulnerability Category | Bonus | Program |
|---|---|---|
| Authentication + Multifactor Authentication Bypass (MFA) | +100% | Identity Bounty Program |
| Information disclosure of enterprise data1 with no user interaction2 1_Enterprise data_ includes, without limitation, emails, Teams messages, SharePoint documents, etc. 2_No user interaction_ refers to situations where a user does not engage with or respond to prompts, commands, or outputs from the AI system after an initial query is made (i.e. by rendering images that cause browser requests, triggering plugin calls etc.). | +100% | Microsoft 365 Copilot Bounty Program |
| Authentication Bypass (non-MFA) | +50% | All Zero Day Quest Bounty Programs |
| Remote Code Execution | +50% | All Zero Day Quest Bounty Programs |
| Authorization Bypass | +50% | All Zero Day Quest Bounty Programs |
| Cross Tenant Information Disclosure or Cross Tenant Elevation of Privilege | +50% | All Zero Day Quest Bounty Programs |
| Azure Health Bot | +30% | Azure Bounty Program |
| Azure Data Explorer (ADX) | +30% | Azure Bounty Program |
| Azure DevOps (ADO) | +30% | Azure Bounty Program |
| Azure Policy | +30% | Azure Bounty Program |
| Azure Container Instances [ACI] (ACI via Kubernetes using Virtual Node 2 (VN2) & Regular (non‑confidential) ACI | +30% | Azure Bounty Program |
| Model Context Protocol (MCP) servers: Azure DevOps MCPMicrosoft Foundry MCPMicrosoft Sentinel Data Exploration MCP | +30% | Azure & Azure DevOps Bounty Program |
| Microsoft 365 Home Pages | +30% | M365 Bounty Program |
| Microsoft Admin Portal | +30% | M365 Bounty Program |
| Purview Compliance Portal | +30% | M365 Bounty Program |
| Exchange, Sharepoint, and Teams Admin Portals | +30% | M365 Bounty Program |
| Information disclosure of enterprise data with one-click user interaction | +20% | Microsoft 365 Copilot Bounty Program |
| All existing "High Impact Scenarios" | +20% | Azure, M365, Dynamics 365 & Power Platform Bounty Programs |
| Server-Side Request Forgery (SSRF) | +20% | Azure, Dynamics & Power Platform Bounty Programs |
| Vulnerabilities in select Public Preview Products: Microsoft Planetary Computer ProAzure SRE AgentMicrosoft Graph Data ConnectAzure Compute FleetAzure BlueprintsUpdate Management Center | +20% | Azure Bounty Program |
ZERO DAY QUEST: FLASH CHALLENGES WITH AWARDS UP TO $250,000!
We’re launching a series of time-sensitive challenges with specified targets for our researchers to uncover!
The first researcher to capture a flag or achieve the criteria in any of the scenarios listed below will earn an exclusive one-time award, in the amount described below for the applicable scenario. This award is standalone and will not be combined with the base bounty award and multiplier.
NEW: Microsoft Entra ID Flash Challenges run from 09:00 AM Pacific Time Monday March 2, 2026 through 11:59 PM Pacific Time March 18, 2026.
NEW: Microsoft Global Secure Access (GSA) Entra ID Flash Challenges run from 09:00 AM Pacific Time Monday March 2, 2026 through 11:59 PM Pacific Time March 18, 2026.
The SharePoint Online and Microsoft 365 Copilot flash challenges run from 09:00 AM Pacific Time, February 17, 2026, through 11:59 PM Pacific Time, March 18, 2026.
CLOSED: The Microsoft Defender for Office 365 flash challenge ran from 09:00 AM Pacific Time, February 23, 2026, through 11:59 PM Pacific Time, February 27, 2026.
NEW: Microsoft Entra ID - Cross-Tenant/Cross-User Access
Target Information:
- Targets in-scope of identity services
- Challenges researchers to demonstrate cross-tenant or cross-user access by demonstrating access to the following account:
- Email: victim@zdqnexus.onmicrosoft.com
- OID: d97914a3-8886-433b-b232-988d6f233e9d
- TID: 5eef8d9d-1602-48b4-8646-49735e662fc9
Scenario:
- Authentication Bypass – Cross-Tenant | $250,000
- Demonstrate a full account takeover that can be used on the user account.
- Achieve authentication and satisfy MFA requirements for the targeted user, being able to access all applications and data.
- Authorization Bypass - Within Tenant | $100,000
- Demonstrate a full account takeover that can be used on an account inside your tenant.
- Achieve authentication and satisfy MFA requirements for the targeted user, being able to access all applications and data.
Out of Scope
- Please refer to the out-of-scope section for the Identity Bounty Program, in addition to the following:
- Cross-Site Scripting Vulnerabilities
- Cross-Site Request Forgery Vulnerabilities
- HTTP Request Smuggling Vulnerabilities
- Vulnerabilities that do not result in full, unrestricted authentication (e.g. a singular system is vulnerable or impacted)
- Vulnerabilities that require any user interaction or significant preconditions
- Vulnerabilities that are the result of a third party (e.g. external SAML implementations)
- Vulnerabilities that do not bypass MFA
- Vulnerabilities that only impact a subset of user accounts
- Vulnerabilities that only impact consumer systems (MSA)
NEW: Microsoft Global Secure Access (GSA) Entra ID
Target Information:
- Targets Microsoft Global Secure Access (GSA) and evaluates whether adversaries can break its core security promise.
- GSA Quickstart, licenses for Microsoft Entra Suite and Microsoft 365 E5 have been shared with you.
Scenario:
- Authorization Bypass – Access another tenant backend resources | $75,000
- Demonstrate that you are able to route traffic to another tenant’s backend resource using Microsoft Entra Private Access.
- Remote Code Execution (RCE) – Achieve RCE on a backend GSA traffic processing node | $75,000
- Demonstrate an RCE vulnerability that impacts a GSA node processing traffic.
- Authorization Bypass – Modify another tenants GSA policies or configuration | $50,000
- Demonstrate a vulnerability that allows you to modify another tenants GSA routing tables/policies or traffic configurations.
Out of Scope
- Please refer to the out-of-scope section for the Identity Bounty Program, in addition to the following:
- Cross-Site Scripting Vulnerabilities
- Cross-Site Request Forgery Vulnerabilities
CLOSED: Microsoft Defender for Office (MDO) 365 - SafeLinks Challenge
Target Information:
- SafeLinks API - demonstrate remote code execution as an unauthenticated user via SafeLinks API.
- Tenant setup: Microsoft 365 E5 licenses (including MDO Plan 1/Plan 2) with URL and SafeLinks click protection settings enabled in policy.
User Roles:
- Security administrator and regular user
Set up Instructions:
- Customer/Product Documentation: Why do I need Microsoft Defender for Office 365? | Microsoft Learn
- Deploy MDO: Get started with Microsoft Defender for Office 365 | Microsoft Learn
- Configure SafeLinks in MDO: Complete Safe Links overview for Microsoft Defender for Office 365 - Microsoft Defender for Office 365 | Microsoft Learn
Set up Safe Links policies in Microsoft Defender for Office 365 - Microsoft Defender for Office 365 | Microsoft Learn - Manage tenant allow block list for URLs: Manage allows and blocks in the Tenant Allow/Block List - Microsoft Defender for Office 365 | Microsoft Learn
Scenario:
- Remote Code Execution – Unauthenticated SafeLinks API | $100,000
- Demonstrate remote code execution by interacting directly with SafeLinks API endpoints as an unauthenticated attacker.
- Remote Code Execution – Authenticated SafeLinks bypass using integrated apps | $50,000
- Demonstrate unsafe execution paths through SafeLinks-integrated applications (Office apps, Teams, M365 Copilot) as an authenticated Microsoft 365 user.
Out of Scope:
- Please refer to the out-of-scope section for the Microsoft Defender Bounty Program page, in addition to the following out-of-scope vulnerability types include: Cross-Site Scripting (XSS), on-premises deployments, vulnerabilities that require user interaction to trigger, and issues in third-party software.
SharePoint Online Challenge
Target Information
- Users in this tenant have Microsoft 365 Standard and Business Premium licenses.
- Your credentials and high-level tenant details will be emailed to you directly!
Scenarios
- Remote Code Execution – Unauthenticated Deserialization of Untrusted Data | $100,000
- As an unauthenticated user, demonstrate one of the following actions:
* Launch a process on a backend server
* Return environment variables from the current process
* Get a list of running processes on the server
- As an unauthenticated user, demonstrate one of the following actions:
- Remote Code Execution – Authenticated Deserialization of Untrusted Data bypassing Unsafe Controls | $50,000
- As an authenticated user, demonstrate one of the following actions:
* Launch a process on a backend server
* Return environment variables from the current process
* Get a list of running processes on the server
- As an authenticated user, demonstrate one of the following actions:
- Cross-tenant authorization/authentication bypass | $100,000
- Starting as a user outside the following tenant, access the contents of the document at this URL: https://a830edad9050849zdq2026b.sharepoint.com/Shared%20Documents/087b7623-dcdf-4b47-950d-4fd1db0879b7.docx
- Within-tenant authorization bypass | $50,000
- Starting as a user within the following tenant (you will be emailed credentials), access the contents of the document at this URL: https://testtenant102398-my.sharepoint.com/:w:/r/personal/random22_testtenant102398_onmicrosoft_com/_layouts/15/doc.aspx?sourcedoc={18646099-fae9-41ec-9599-bbee5ccddee1}
- Arbitrary File Read/Write | $25,000
- Write a file to the file system of a SharePoint Online datacenter server with the following file name: c58a1d94-0745-4b9b-8d68-926af41cb501.abc
- Read a file from the file system of a SharePoint Online datacenter server. These must be internal system files, such as web.config.
- High-privileged Entra token leak | $25,000
- Capture an Entra token issued to a Microsoft first-party application that grants app-only access to SharePoint content, directly or through MS Graph. This must be a token issued to an app owned by Microsoft, not an app that you developed yourself.
- Entra tokens can be decoded at https://jwt.ms. An app-only token has these properties:
* No xms_spcu claim
* One or more of the following:
* idtyp claim = "app"
* oid claim value matches the sub claim value
* ver claim = "service_asserted_app_v1" - For direct SharePoint access
* aud claim = "00000003-0000-0ff1-ce00-000000000000" - For SharePoint content access via MS Graph
* aud claim = "https://graph.microsoft.com/"
* Roles claim contains any Sites.* or Files.* roles
Out of Scope
Please refer to the out-of-scope section for the M365 Bounty Program, in addition to the following types of submissions, which are not eligible for a bounty described above:
- Cross Site Scripting vulnerabilities
- Vulnerabilities found in on-prem versions of the application
- Vulnerabilities requiring user interaction or significant preconditions
- Vulnerabilities relying on third party code or extensions
Microsoft 365 Copilot Challenge
Target Information
- Microsoft 365 Copilot using a work or school account
Scenario
- Accessing another user’s file that you should not have access to within the same tenant | $100,000
- Starting as User A within your tenant, create a document containing an obscure flag and label it “Highly Confidential – Recipients Only.” Grant User B read-only access to this document. Then, using a separate identity (User C), attempt to access the contents of the document using Microsoft 365 Copilot.
Out of Scope
Please refer to the out-of-scope section for the Microsoft 365 Copilot Bounty Program, in addition to the following types of submissions, which are not eligible for a bounty described above:
- Cross Site Scripting vulnerabilities
- Vulnerabilities requiring user interaction or significant preconditions
- Vulnerabilities relying on third party code or extensions
OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES
- Cross Site Scripting vulnerabilities in the Azure and Dynamics 365 and Power Platform Bounty Programs.
- Vulnerabilities in Confidential Compute.
Services will be awarded under existing Bounty Programs, but not eligible for multipliers or count towards the bounty leaderboard for this event.
TRAVEL AND ACCOMMODATIONS (Updated for 2026)
Microsoft will coordinate and book round-trip economy airfare for eligible participants through our designated travel agency. Travel will be arranged from the major airport closest to the participant’s home and is subject to the following conditions:
- Microsoft will cover the base fare and standard taxes only, up to 2,000USDforinternationaltravelandupto2,000 USD for international travel and up to 2,000USDforinternationaltravelandupto750 USD for travel within North America (including Canada and Mexico).
- Optional add-ons, including seat upgrades, baggage fees, early boarding, lounge access, preferred seating, and other ancillary charges, are not covered
- Participants who live within 300 miles of the event location may be provided with alternative transportation instead of airfare. The mode of travel will be determined by Microsoft.
- Participants are responsible for securing all required travel documents, including but not limited to government-issued ID, visa, or passport. Microsoft cannot book travel until all required documents are obtained.
- Once travel has been booked through Microsoft’s travel agency, no changes or cancellations can be made.
- Travel must occur on the dates specified by Microsoft. Failure to travel on the approved itinerary may result in forfeiture of the event invitation.
Additional information about the travel booking process will be provided directly to invited participants when arrangements begin.
RESEARCH RULES OF ENGAGEMENT
To maintain the security and integrity of our services, all participants in Microsoft's bounty programs must strictly adhere to the Microsoft Security Testing Rules of Engagement (ROE). These guidelines are crafted to enable security researchers to assess the security of Microsoft Online Assets effectively while ensuring that other customers and infrastructure remain unaffected. For comprehensive details about these rules, please consult the Microsoft ROE website.
If you accidentally access unauthorized data, stop immediately. Notify MSRC with the details, delete the data, and acknowledge this in any bug bounty report. Do not share the accessed information.
If you attempt or we have strong reason to believe that you have compromised the integrity or the legitimate operation of the Live Hacking Event by cheating, hacking, creating a bot or other automated program, or by committing fraud in any way, Microsoft may (a) disqualify you from participation in the Live Hacking Event, (b) seek damages from you to the full extent of the law and (c) ban you from participation in future Microsoft events and programs.
USE OF YOUR SUBMISSION
We are not claiming ownership rights to your submission. However, by providing your submission to Microsoft, you grant Microsoft rights to use your submission as provided in the Microsoft Bounty Terms and Conditions. You will not receive any compensation or credit for use of your submission, other than what is described in this page or the bounty program pages linked to above.
By providing your submission to Microsoft, you acknowledge that Microsoft may have developed or commissioned materials similar or identical to your submission and you waive any claims resulting from any similarities to your submission. Further you understand that Microsoft will not restrict work assignments of representatives who have had access to your submission, and you agree that use of information in our representatives’ unaided memories in the development or deployment of our products or services does not create liability for Microsoft under copyright or trade secret law. Microsoft is not obligated to use your submission for any purpose.
RESOURCES FOR PROGRAM PARTICIPANTS
ADDITIONAL TERMS AND CONDITIONS FOR THE LIVE HACKING EVENT - coming soon!
- If the onsite Live Hacking Event is canceled for any reason, Microsoft will not seek reimbursement for any travel expenses.
- For questions regarding the Live Hacking Event and/or Microsoft’s bounty rules, please email bounty@microsoft.com.
- For questions regarding the Live Hacking Event or to find out who won, please email zerodayquest@microsoft.com with the subject line “Microsoft Zero Day Quest Live Hacking Event.”
- For additional information, please see our FAQ.
- Personal data you provide while participating in the Live Hacking Event will be used by Microsoft and/or its agents acting on Microsoft’s behalf only for the administration and operation of the Live Hacking Event and in accordance with the Microsoft Privacy Statement.
REVISION HISTORY
- March 3, 2025: The Zero Day Quest Live Hacking Event launched.
- March 20, 2025: Added Flash Challenges for SharePoint Online and Exchange Online.
- March 26, 2025: Added Flash Challenge for Copilot.
- August 4, 2025: Updated the Zero Day Quest Live Hacking Event page with new event information.
- February 17, 2026: Updated the Zero Day Quest Live Hacking Event page with new scope and bounty awards for 2026.
- February 23, 2026: Updated the Zero Day Quest Live Hacking Event page with new scope and bouny awards for Model Context Protocol (MCP) servers: Azure DevOps MCP, Microsoft Foundry MCP, Microsoft Sentinel Data Exploration MCP.
- February 23, 2026: Added Flash Challenge for Microsoft Defender for Office 365 - SafeLinks.
- February 27, 2026: Closed Flash Challenge for Microsoft Defender for Office 365 - SafeLinks.
- March 2, 2026: Added Flash Challenge for Microsoft Entra ID and Microsoft Global Secure Access (GSA) Entra ID.
- March 5, 2026: Clarified Bounty Award Multiplier for "Cross Tenant".