Microsoft awarded $2.3 million to security researchers after receiving nearly 700 submissions during this year’s Zero Day Quest hacking competition.
Tom Gallagher, Vice President of Engineering at the Microsoft Security Response Center (MSRC), said that more than 80 bugs discovered during a live event at the Microsoft Redmond campus were a major threat to cloud and AI security.
“During the 2026 live hack event, Microsoft is partnering with the global security research community, representing more than 20 countries and diverse professional backgrounds, from high school students to college professors,” Gallagher said.
“The researchers conducted all tests in an authorized environment in accordance with Microsoft’s Rules of Engagement, demonstrating the potential impact without accessing customer data or other employer systems. Within these constraints, the researchers identified key mechanisms involving data exposure, SSRF chains, and unauthorized access to employers.”
Last August, Microsoft announced that it would increase the prize pool for this year’s Zero Day Quest hacking contest to $5 million in cash prizes, which the company described as “the biggest hacking event in history.”
The 2025 Zero Day Quest also generated significant participation from the security community, following Microsoft’s offering of $4 million in vulnerability awards for cloud and AI products and platforms.
After the hacking contest ended, Microsoft announced that it had paid out 1.6 million in rewards after receiving more than 600 vulnerability submissions.
The Zero Day Quest competition is part of Microsoft’s Secure Future Initiative (SFI), a cybersecurity engineering effort launched in November 2023, following a scathing report from the US Department of Homeland Security’s Cyber Safety Review Board that found the company’s security culture “inadequate” and in need of “overhaul.”
“As part of our Secure Future Initiative (SFI), we will openly share critical vulnerabilities through the CVE program, even if no customer action is required,” Gallagher said in August. “The things learned from Zero Day Quest will be shared across Microsoft to help improve Cloud and AI security in line with SFI’s core principles: protect by automation, by design, and by operation.”
Earlier that month, Microsoft announced that it had paid a record $17 million to 344 security researchers in 59 countries for its bug bounty program between July 2024 and June 2025.
In December, it also announced that security researchers will be paid for finding significant vulnerabilities in any of Microsoft’s online services, even if a third party wrote the vulnerable code.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
