Zero Day Quest 2025: $1.6 Million Awarded for Vulnerability Research
This month, the Microsoft Security Response Center welcomed an impressive lineup of talented security researchers to participate in the inaugural Zero Day Quest 2025, a live hacking competition that challenged participants to focus on the highest-impact security scenarios for Copilot and Cloud. The event was a huge success, with over 600 vulnerability submissions received and more than $1.6 million awarded to researchers during the qualifying research challenge and live event.
The Zero Day Quest is the largest live hacking competition of its kind, and it's clear that Microsoft's investment in this program has paid off. The team at MSRC is continuing to evaluate potential vulnerabilities and mitigate where necessary, working closely with the security community to identify and address high-impact threats before they can impact customers.
During the qualifying rounds, researchers submitted their work for a chance to attend the event in person and earn additional incentives beyond the regular bug bounty awards. A select group of researchers then took part in an even more intense round of competition, digging deep into Redmond and online to tackle capture-the-flag challenges in Microsoft products.
But the Zero Day Quest is not just about competition – it's also about collaboration and education. Nearly 100 researchers participated in training sessions, which included AI bug hunting with the AI Red Team, SSRF training with the engineering team, and tips and advice from the bounty team. This helps to build a strong and informed security community, one that can work together to raise the security bar for everyone.
Following the success of this inaugural event, Microsoft is making two key investments to deepen its partnership with the research community. The 100% award multiplier for all Copilot bounty awards will remain active, continuing to incentivize AI research through additional payments for high-impact research. And Zero Day Quest will return annually, with new research challenges, bounty multipliers, and deeper collaboration between Microsoft product engineering teams, security teams, and the security research community.
The Zero Day Quest is part of Microsoft's broader bug bounty program, which has already awarded over $16 million in 2023 to researchers who responsibly reported vulnerabilities and helped address them before they could impact customers. By encouraging public write-ups after mitigation, Microsoft aims to support continued learning and sharing of knowledge within the security community.
As part of its Secure Future Initiative (SFI) and commitment to transparency, Microsoft will issue CVEs for all critical issues. This helps to ensure that vulnerabilities are publicly disclosed in a timely manner, allowing researchers and security professionals to stay one step ahead of potential threats.
Finally, the learnings from this event will be shared across Microsoft to help improve cloud and AI security – by default, by design, and in operations. By working together with the security community, Microsoft aims to raise the security bar for everyone and create a safer digital world for all.
About the Secure Future Initiative
The Secure Future Initiative (SFI) is an ongoing effort at Microsoft to prioritize security and privacy in its products and services. The initiative includes various initiatives such as bug bounty programs, penetration testing, and secure software development practices, with the goal of improving cloud and AI security.
Copilot Bounty Program
The Copilot bounty program is a new initiative at Microsoft that aims to encourage responsible disclosure of vulnerabilities in its Copilot product. The program offers rewards for high-impact research, and it's designed to incentivize security researchers to focus on the most critical areas of vulnerability.
Upcoming Events
Zero Day Quest 2025 will return annually, with new research challenges, bounty multipliers, and deeper collaboration between Microsoft product engineering teams, security teams, and the security research community. Stay tuned for more information on future events and how you can participate.
Contact Information
For more information on the Zero Day Quest 2025, including details on the Copilot bounty program and the Secure Future Initiative, please visit Microsoft's MSRC website.