Microsoft has awarded $2.3 million to security researchers after receiving nearly 700 submissions during this year’s Zero Day Quest hacking contest.
Tom Gallagher, Vice President of Engineering at Microsoft Security Response Center (MSRC), said that over 80 flaws found during the live event at Microsoft’s Redmond campus were high-impact cloud and AI security vulnerabilities.
“During the 2026 live hacking event, Microsoft partnered with the global security research community, representing more than 20 countries and a wide range of professional backgrounds, from high school students to college professors,” Gallagher said.
“Researchers conducted all testing within authorized environments in accordance with Microsoft’s Rules of Engagement, demonstrating potential impact without accessing customer data or other tenant systems. Within these constraints, researchers identified critical paths involving credential exposure, SSRF chains, and cross‑tenant access.”
Last August, Microsoft announced that it would increase the prize pool at this year’s Zero Day Quest hacking contest to $5 million in bounty awards, which the company described as the “largest hacking event in history.”
The 2025 Zero Day Quest also generated significant participation from the security community, following Microsoft’s offer of $4 million in rewards for vulnerabilities in cloud and AI products and platforms.
After the hacking competition concluded, Microsoft announced it had paid $1.6 million in rewards after receiving more than 600 vulnerability submissions.
The Zero Day Quest contest is part of Microsoft’s Secure Future Initiative (SFI), a cybersecurity engineering effort launched in November 2023, following a scathing report from the Cyber Safety Review Board of the U.S. Department of Homeland Security that found the company’s security culture “inadequate” and requiring “an overhaul.”
“As part of our Secure Future Initiative (SFI), we will transparently share critical vulnerabilities through the CVE program, even if no customer action is required,” Gallagher said in August. “Learnings from the Zero Day Quest will be shared across Microsoft to help improve Cloud and AI security in alignment with SFI’s core principles: securing by default, by design, and in operations.”
Earlier that month, Microsoft announced it had paid a record $17 million to 344 security researchers across 59 countries through its bug bounty program between July 2024 and June 2025.
In December, it also announced that security researchers would be paid for finding critical vulnerabilities in any of Microsoft’s online services, even if a third party wrote the vulnerable code.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.