Microsoft Pays $2.3M for Cloud, AI Security Flaws
▼ Summary
– Microsoft awarded $2.3 million to researchers after receiving nearly 700 vulnerability submissions in its 2026 Zero Day Quest hacking contest.
– Over 80 of the flaws discovered during the live event were high-impact vulnerabilities in cloud and AI security.
– The contest is part of Microsoft’s Secure Future Initiative, launched after a critical government report on the company’s security culture.
– Microsoft had previously increased the 2026 contest’s prize pool to $5 million, calling it the largest such event in history.
– In a separate 2025 bug bounty period, Microsoft paid a record $17 million to researchers across 59 countries.
Microsoft has distributed $2.3 million in rewards to researchers following its latest Zero Day Quest hacking contest, which drew close to 700 vulnerability submissions. The live event, held at the company’s Redmond headquarters, led to the discovery of more than 80 high-severity flaws in its cloud and AI platforms. According to Tom Gallagher, Vice President of Engineering at the Microsoft Security Response Center, the global research community involved participants from over 20 countries, including high school students and university professors.
All testing was performed within strictly authorized environments under Microsoft’s established rules, ensuring no customer data or external tenant systems were accessed. Within these controlled parameters, investigators uncovered critical attack vectors, including scenarios for credential exposure, SSRF chains, and cross‑tenant access vulnerabilities. This structured approach allowed the demonstration of potential impact while maintaining security boundaries.
The 2026 contest featured an increased prize pool of $5 million, which Microsoft had promoted as the largest hacking event in history. This follows a similar pattern from the previous year, when the company offered $4 million in bounties for cloud and AI vulnerabilities. After the 2025 competition concluded, Microsoft paid out $1.6 million for more than 600 submitted reports, highlighting the program’s growing scale and researcher engagement.
Zero Day Quest is a cornerstone of Microsoft’s broader Secure Future Initiative, a comprehensive cybersecurity engineering effort launched in late 2023. The initiative was established after a critical review by the U. S. Department of Homeland Security’s Cyber Safety Review Board, which described the company’s security culture as inadequate and in need of a complete overhaul. As part of this commitment, Microsoft pledges to transparently disclose critical vulnerabilities through the CVE program and apply lessons learned from these hacking events across its engineering teams.
The principles guiding this work focus on securing by default, by design, and in operations. Earlier this year, Microsoft highlighted its ongoing investment in security research, noting it paid a record $17 million to 344 researchers across 59 countries through its bug bounty program between July 2024 and June 2025. In a significant policy shift announced last December, the company also committed to rewarding findings for critical flaws in any of its online services, even when the vulnerable code originates from a third-party supplier.
(Source: BleepingComputer)
