Microsoft has awarded $2.3 million to safety researchers after receiving just about 700 submissions throughout this 12 months’s 0 Day Quest hacking contest.
Tom Gallagher, Vice President of Engineering at Microsoft Safety Reaction Heart (MSRC), mentioned that over 80 flaws discovered throughout the are living tournament at Microsoft’s Redmond campus had been high-impact cloud and AI safety vulnerabilities.
“Throughout the 2026 are living hacking tournament, Microsoft partnered with the worldwide safety analysis neighborhood, representing greater than 20 international locations and quite a lot of skilled backgrounds, from highschool scholars to school professors,” Gallagher mentioned.
“Researchers carried out all checking out inside of licensed environments in response to Microsoft’s Laws of Engagement, demonstrating doable affect with out getting access to buyer information or different tenant methods. Inside of those constraints, researchers recognized vital paths involving credential publicity, SSRF chains, and go‑tenant get right of entry to.”
Closing August, Microsoft introduced that it will build up the prize pool at this 12 months’s 0 Day Quest hacking contest to $5 million in bounty awards, which the corporate described because the “greatest hacking tournament in historical past.”
The 2025 0 Day Quest additionally generated vital participation from the safety neighborhood, following Microsoft’s be offering of $4 million in rewards for vulnerabilities in cloud and AI merchandise and platforms.
After the hacking pageant concluded, Microsoft introduced it had paid $1.6 million in rewards after receiving greater than 600 vulnerability submissions.
The 0 Day Quest contest is a part of Microsoft’s Protected Long term Initiative (SFI), a cybersecurity engineering effort introduced in November 2023, following a scathing file from the Cyber Protection Evaluate Board of the U.S. Division of Fatherland Safety that discovered the corporate’s safety tradition “insufficient” and requiring “an overhaul.”
“As a part of our Protected Long term Initiative (SFI), we will be able to transparently percentage vital vulnerabilities in the course of the CVE program, although no buyer motion is needed,” Gallagher mentioned in August. “Learnings from the 0 Day Quest can be shared throughout Microsoft to assist beef up Cloud and AI safety in alignment with SFI’s core rules: securing by means of default, by means of design, and in operations.”
Previous that month, Microsoft introduced it had paid a report $17 million to 344 safety researchers throughout 59 international locations thru its computer virus bounty program between July 2024 and June 2025.
In December, it additionally introduced that safety researchers can be paid for locating vital vulnerabilities in any of Microsoft’s on-line services and products, although a 3rd birthday celebration wrote the susceptible code.
Computerized pentesting proves the trail exists. BAS proves whether or not your controls forestall it. Maximum groups run one with out the opposite.
This whitepaper maps six validation surfaces, displays the place protection ends, and offers practitioners with 3 diagnostic questions for any device analysis.
