Article illustration 1

Microsoft is escalating its offensive against cloud and AI vulnerabilities by offering security researchers up to $5 million in rewards during the 2025 Zero Day Quest hacking competition—dubbed the "largest hacking event in history." The three-month challenge (August 4–October 4, 2025) specifically targets weaknesses in Microsoft Azure, Copilot, Dynamics 365, Power Platform, Identity, and M365 services, with critical-severity discoveries qualifying for 50% bounty multipliers.

This record prize pool marks a 25% increase from 2024's $4 million offering, which yielded over 600 submissions and $1.6 million in payouts. Researchers uncovering critical flaws in designated high-impact scenarios can now earn significantly amplified rewards, with Microsoft clarifying:

"If your submission qualifies for both general and high-impact multipliers, the higher value applies."

Top performers will secure invitations to an exclusive live hacking event at Microsoft's Redmond campus in Spring 2026, collaborating directly with the Microsoft Security Response Center (MSRC) and product teams. The initiative includes specialized training sessions from Microsoft's AI Red Team covering AI system testing methodologies and vulnerability research—a strategic investment following the U.S. Cyber Safety Review Board's 2023 report criticizing Microsoft's "inadequate" security culture.

The competition anchors Microsoft's Secure Future Initiative (SFI), which mandates "securing by default, by design, and in operations." All findings will be transparently disclosed via the CVE program, even when no customer action is required. Concurrently, Microsoft revealed increased bounties for .NET/ASP.NET Core vulnerabilities (up to $40,000) and a 100% award multiplier for all Copilot-related discoveries—signaling intensified focus on generative AI risks.

Source: BleepingComputer