Microsoft Pays $2.3M for Cloud and AI Flaws at Zero Day Quest

Microsoft has awarded $2.3 million to security researchers after receiving nearly 700 submissions during this year's Zero Day Quest hacking contest. Tom Gallagher, Vice President of Engineering at Microsoft Security Response Center (MSRC), said that over 80 flaws found during the live event at Microsoft's Redmond campus were high-impact cloud and AI security vulnerabilities.

"During the 2026 live hacking event, Microsoft partnered with the global security research community, representing more than 20 countries and a wide range of professional backgrounds, from high school students to college professors," Gallagher said. "Researchers conducted all testing within authorized environments in accordance with Microsoft's Rules of Engagement, demonstrating potential impact without accessing customer data or other tenant systems. Within these constraints, researchers identified critical paths involving credential exposure, SSRF chains, and cross-tenant access."

Last August, Microsoft announced that it would increase the prize pool at this year's Zero Day Quest hacking contest to $5 million in bounty awards, which the company described as the "largest hacking event in history." The 2025 Zero Day Quest also generated significant participation from the security community, following Microsoft's offer of $4 million in rewards for vulnerabilities in cloud and AI products and platforms.

After the hacking competition concluded, Microsoft announced it had paid $1.6 million in rewards after receiving more than 600 vulnerability submissions. The Zero Day Quest contest is part of Microsoft's Secure Future Initiative (SFI), a cybersecurity engineering effort launched in November 2023, following a scathing report from the Cyber Safety Review Board of the U.S. Department of Homeland Security that found the company's security culture "inadequate" and requiring "an overhaul."

"As part of our Secure Future Initiative (SFI), we will transparently share critical vulnerabilities through the CVE program, even if no customer action is required," Gallagher said in August. "Learnings from the Zero Day Quest will be shared across Microsoft to help improve Cloud and AI security in alignment with SFI's core principles: securing by default, by design, and in operations."

Earlier that month, Microsoft announced it had paid a record $17 million to 344 security researchers across 59 countries through its bug bounty program between July 2024 and June 2025. In December, it also announced that security researchers would be paid for finding critical vulnerabilities in any of Microsoft's online services, even if a third party wrote the vulnerable code.

The Zero Day Quest represents Microsoft's commitment to improving its security posture through collaboration with the global security research community. By offering substantial rewards and creating a structured environment for ethical hacking, Microsoft is addressing vulnerabilities before they can be exploited by malicious actors.

For organizations looking to improve their own security testing, Microsoft's approach offers several key takeaways:

• Structured engagement: Provide clear rules of engagement and authorized testing environments
• Diverse participation: Engage researchers from various backgrounds and experience levels
• Comprehensive coverage: Test across cloud and AI platforms, not just traditional software
• Transparent reporting: Share findings through established vulnerability disclosure programs
• Continuous improvement: Use findings to inform broader security initiatives

The types of vulnerabilities discovered during the contest highlight the evolving threat landscape. Server-Side Request Forgery (SSRF) chains remain a significant concern, particularly in cloud environments where they can lead to cross-tenant access. Credential exposure vulnerabilities continue to be a primary attack vector, emphasizing the need for robust secrets management and access controls.

Microsoft's investment in bug bounty programs and hacking contests demonstrates a shift toward proactive security measures. Rather than waiting for vulnerabilities to be discovered and exploited in the wild, the company is creating incentives for ethical researchers to find and report issues before they can be weaponized.

This approach aligns with industry best practices for vulnerability management and reflects the growing recognition that security is a collaborative effort requiring input from the entire security community. As cloud and AI technologies continue to evolve, such initiatives will become increasingly important for identifying and addressing emerging security challenges.