Microsoft Raises Zero Day Quest Bug Bounties to $5 Million

Microsoft has announced a significant increase in its Zero Day Quest (ZDQ) bug bounty program, with the total potential rewards now reaching $5 million (A$6.18 million to A$7.73 million respectively). The tech giant's vulnerability finding program targets its enterprise offerings, including Microsoft Azure, Copilot, Dynamics 365/Power Platform, Identity and M365.

The top bounties will be awarded for high-impact research in cloud and artificial intelligence, with a focus on addressing vulnerabilities in these areas. This includes tackling issues related to Microsoft Azure, Copilot, and Dynamics 365/Power Platform, among others. Researchers who submit vulnerability submissions targeting specific scenarios during the research challenge can earn enhanced bounty awards, with a 50% multiplier for critical severity discoveries.

The Zero Day Quest program runs from August 4 to October 4 this year, with participants eligible for enhanced rewards if their submissions meet certain criteria. Successful researchers will then be invited to attend a live hacking event at Microsoft's Redmond campus in the spring of 2026, which promises to be the largest public hacking get-together ever. This exclusive gathering brings together the world's leading security researchers to collaborate directly with Microsoft product teams and the Microsoft Security Response Centre (MSRC).

Microsoft operates its Zero Day Quest program under the company's coordinated vulnerability disclosure (CVD) policy, which encourages researchers to share their findings publicly once vulnerabilities are fixed or mitigated. The CVD initiative provides transparency through various channels, including blogs, podcasts, and videos, to help the security community learn from discoveries.

The 2025 ZDQ event received an impressive 600 million vulnerability submissions, with a total of $1.6 million awarded in the two phases of the program. This is just one example of Microsoft's commitment to supporting the security research community through its bug bounty programs.

In related news, the MSRC has taken stock of its current bounty initiatives and reported distributing over $17 million in awards to 344 security researchers across 59 countries. This represents the highest total amount of money awarded in the history of the Microsoft Bug Bounty Program.

Microsoft's Bug Bounty Programs: A Comprehensive Overview

Beyond Zero Day Quest, the MSRC operates a range of other bug bounty programs, including nine cloud programs, six platform ones, and four defence and grant programs and challenges. These initiatives provide researchers with numerous opportunities to contribute to Microsoft's security research efforts.

Microsoft's commitment to supporting the security research community is evident in its various bounty programs, which aim to encourage responsible disclosure of vulnerabilities and promote a safer digital landscape. As the tech giant continues to expand its offerings, it remains to be seen how these initiatives will evolve and impact the wider security community.