Microsoft’s $2.3M Investment in Zero Day Quest: Strengthening Cloud and AI Security

Microsoft Awards $2.3 Million to Security Researchers in Zero Day Quest Contest

Microsoft recently recognized the efforts of security researchers by granting $2.3 million in rewards as part of the Zero Day Quest hacking contest. The contest, which attracted nearly 700 submissions, showcased the commitment and expertise of the global security research community.

Tom Gallagher, Vice President of Engineering at Microsoft Security Response Center (MSRC), highlighted that the live event held at Microsoft’s Redmond campus uncovered over 80 high-impact cloud and AI security vulnerabilities. Participants from over 20 countries with diverse professional backgrounds, ranging from high school students to college professors, contributed to the success of the event.

The researchers conducted their testing within authorized environments, adhering to Microsoft’s Rules of Engagement. This approach ensured that potential vulnerabilities were identified without compromising customer data or tenant systems. Critical paths involving credential exposure, SSRF chains, and cross-tenant access were among the key findings.

Microsoft’s commitment to fostering cybersecurity innovation was further demonstrated by the decision to increase the prize pool for the Zero Day Quest hacking contest to $5 million. This initiative, described as the “largest hacking event in history,” aimed to incentivize researchers to uncover vulnerabilities in cloud and AI products and platforms.

Following the conclusion of the 2025 Zero Day Quest, Microsoft distributed $1.6 million in rewards to researchers who submitted over 600 vulnerabilities. The success of the contest underscored the company’s dedication to enhancing its security culture and practices.

The Zero Day Quest contest is an integral part of Microsoft’s Secure Future Initiative (SFI), a cybersecurity engineering effort launched in response to feedback from the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative focuses on enhancing security measures across Microsoft’s Cloud and AI offerings.

As part of SFI, Microsoft is committed to sharing critical vulnerabilities transparently through the CVE program, regardless of customer impact. The insights gained from events like the Zero Day Quest will be leveraged to strengthen Cloud and AI security, aligning with SFI’s core principles of securing by default, by design, and in operations.

Microsoft’s bug bounty program also garnered attention, with the company rewarding $17 million to 344 security researchers from 59 countries in a single year. Additionally, Microsoft announced plans to compensate researchers for identifying critical vulnerabilities in its online services, even if the vulnerable code was developed by a third party.

Automated penetration testing validates the existence of vulnerabilities, while Breach and Attack Simulation (BAS) assesses the effectiveness of security controls. Combining these approaches provides a comprehensive security validation strategy.

Download our whitepaper to explore six validation surfaces, identify coverage gaps, and evaluate the effectiveness of your security tools with three key questions.

Get Your Copy Now