In the fiscal year ending June 30, 2025, Microsoft has significantly bolstered its commitment to cybersecurity by awarding $17 million to 344 security researchers across 59 countries through its bug bounty programs. This marks the highest annual payout since the program’s inception in 2018, bringing the total disbursed to $92.5 million.
A Year of Record-Breaking Rewards
The $17 million awarded this year surpasses the previous year’s total of $16.6 million, reflecting Microsoft’s escalating investment in identifying and mitigating security vulnerabilities. The company received over 600 vulnerability submissions during the Zero Day Quest qualifying research challenge, contributing $1.6 million to the annual total. This initiative underscores Microsoft’s proactive approach to engaging the global security research community in fortifying its products and services.
Expanding the Scope of Bug Bounty Programs
Over the past year, Microsoft has broadened the reach of its bug bounty programs to encompass a wider array of products and services, aligning with emerging threats and evolving security challenges. Key developments include:
– Copilot Bounty Program Enhancements: The program now includes additional consumer products and offers increased incentives to researchers. Notably, Microsoft has integrated the Microsoft Vulnerability Severity Classification for Online Services into the Copilot Bounty Program, ensuring a consistent framework for evaluating vulnerabilities. Researchers identifying moderate severity vulnerabilities are now eligible for rewards up to $5,000. ([msrc.microsoft.com](https://msrc.microsoft.com/blog/2025/02/exciting-updates-to-the-copilot-ai-bounty-program-enhancing-security-and-incentivizing-innovation/?utm_source=openai))
– Identity Bounty Program Expansion: Additional APIs and domains that secure enterprise accounts have been incorporated, broadening the program’s scope and enhancing the security of Microsoft’s identity solutions.
– Microsoft 365 Bounty Program Updates: The inclusion of Viva Glint, Learning, Pulse, and Feature Access Control reflects Microsoft’s commitment to securing its comprehensive suite of productivity tools.
– Defender Bounty Program Additions: The program now covers Defender for Identity (MDI), Defender for Office (MDO), and Defender for Cloud Applications (MDA), addressing a broader spectrum of security concerns.
– Dynamics 365 & Power Platform Program Expansion: An AI category has been introduced, acknowledging the growing importance of artificial intelligence in business applications. Microsoft has increased bug bounty payouts to $30,000 for AI vulnerabilities found in Dynamics 365 and Power Platform services and products. Eligible AI vulnerability types include inference manipulation, model manipulation, and inferential information disclosure of critical or important severity. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/microsoft/microsoft-now-pays-up-to-30-000-for-some-ai-vulnerabilities/?utm_source=openai))
Zero Day Quest: A Platform for Collaboration
The Zero Day Quest event has emerged as a pivotal platform for collaboration between Microsoft and the global security research community. In its inaugural year, the event attracted over 600 vulnerability submissions, with Microsoft awarding more than $1.6 million during the qualifying research challenge and live event. The success of this initiative has prompted Microsoft to announce the 2026 research challenge, with up to $5 million in rewards for vulnerabilities in Azure, Copilot, Dynamics 365 and Power Platform, Identity, and Microsoft 365.
A Decade of Dedication to Security
Celebrating a decade since the launch of its bug bounty program, Microsoft has awarded over $92.5 million to security researchers worldwide. The program has evolved to prioritize objectivity and customer impact, focusing on the severity and security implications of reported vulnerabilities. By eliminating subjective measures such as novelty or complexity, Microsoft ensures that even simple bugs posing significant threats are addressed promptly. ([msrc.microsoft.com](https://msrc.microsoft.com/blog/2023/11/celebrating-ten-years-of-the-microsoft-bug-bounty-program-and-more-than-60m-awarded/?utm_source=openai))
Looking Ahead: Strengthening Partnerships
Microsoft’s ongoing enhancements to its bug bounty programs reflect a steadfast commitment to cybersecurity and a recognition of the invaluable contributions made by the global security research community. By expanding program scopes, increasing rewards, and fostering collaborative events like Zero Day Quest, Microsoft aims to stay ahead of emerging threats and continue to protect its vast user base.
As the digital landscape evolves, Microsoft’s proactive approach to engaging with security researchers worldwide underscores the importance of collaboration in building a safer and more secure technological environment for all.
