Zero Day Quest Research Challenge (original) (raw)

Eligible Submissions

The goal of the bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers using the latest version of the application.

Vulnerability submissions must meet the following criteria to be eligible for bounty awards:

• Identify a vulnerability that was not previously reported to or otherwise known by Microsoft.
• The vulnerability must be previously unreported, classified as Critical or Important severity, and must reproduce in one of the in-scope products or services.
• Include clear, concise, and reproducible steps, either in writing or in video format, that provide our engineering team with the information necessary to quickly reproduce, understand, and fix the issues.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria. For additional details, please refer to the specific Microsoft Azure, Microsoft Copilot, Microsoft Dynamics 365 and Power Platform, Microsoft Identity, and M365 bounty program pages.

Use of Your Submission

We are not claiming ownership rights to your submission. However, by providing your submission to Microsoft, you grant Microsoft rights to use your submission as provided in the Microsoft Bounty Terms and Conditions. You will not receive any compensation or credit for use of your submission, other than what is described in this page or the bounty program pages linked to above.

By providing your submission to Microsoft, you acknowledge that Microsoft may have developed or commissioned materials similar or identical to your submission and you waive any claims resulting from any similarities to your submission. Further you understand that Microsoft will not restrict work assignments of representatives who have had access to your submission, and you agree that use of information in our representatives' unaided memories in the development or deployment of our products or services does not create liability for Microsoft under copyright or trade secret law. Microsoft is not obligated to use your submission for any purpose.

Qualifying for the Zero Day Quest Live Hacking Event

The Zero Day Quest Live Hacking Event is an invite-only event extended to up to 45 MSRC security researchers who have either:

• Submitted >1 valid case to the MSRC and received a critical severity or high impact scenario bounty award in the last year that focus on cloud or AI research areas; OR
• qualified based on their submissions to the Zero Day Quest Research Challenge, which runs between August 4 to October 4, 2025. The top researchers, by bounty awarded amount, for cases submitted under the eligible scope during the Research Challenge, will be invited to participate in the Zero Day Quest Live Hacking Event.

Resources for Program Participants

To help you with your Zero Day Quest submissions, check out sessions from the AI Red Team, Microsoft Security Response Center, and Dynamics teams:

• Learn to Red Team AI Systems Using PyRIT
• Microsoft's Bug Bounty Program and AI Research
• Security Research in Copilot Studio

Out of Scope Submissions and Vulnerabilities

Please refer to the out-of-scope sections of the Azure, Copilot, Dynamics 365 and Power Platform, Identity, and M365 Bounty Programs.

Additional Terms and Conditions for the Research Challenge

• If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
• If a duplicate report provides us with new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
• If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program.
• Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.
• Participants must adhere to the Code of Conduct in the Microsoft Bounty Program Terms and Conditions.

For questions regarding the Research Challenge and/or Microsoft's bounty rules, please email bounty@microsoft.com.

Revision History

• August 4, 2025: Published the new Zero Day Quest Research Challenge page.