Microsoft to offer hackers millions in Zero Day Quest event

Microsoft on Tuesday unveiled Zero Day Quest, a bug bounty event offering up to $4 million in rewards to security researchers.

The announcement was one of several related to security at this year's Microsoft Ignite conference, which is being held this week in Chicago. Zero Day Quest, an on-site event taking place next year in Redmond, Wash., will serve as an expansion of Microsoft's bug bounty and transparency initiatives under the company's Secure Future Initiative.

"At the end of the day, we recognize that when it comes to security, it's fundamentally a team sport," Microsoft CEO Satya Nadella said during his Tuesday keynote. "And that's why we want to partner, and we're partnering broadly with the security community."

Microsoft Security Response Center Vice President of Engineering Tom Gallagher said in a blog post published Tuesday that Zero Day Quest is the "largest of its kind" and will offer a potential $4 million in awards for research into cloud and AI, which he described as "high-impact areas."

"Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers -- bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe," Gallagher wrote.

A preliminary event was launched alongside the announcement: a research challenge in which certain vulnerability submissions within select scenarios are eligible for multiplied bounty rewards. For example, AI bounty rewards are doubled starting today. Moreover, submissions can qualify researchers for a spot at the main Zero Day Quest event next year. Full details are available on Microsoft's dedicated Zero Day Quest page.

In the blog post, Gallagher reaffirmed Microsoft's commitment to transparency as outlined in its Secure Future Initiative, which was further expanded in the spring. He said researchers will be encouraged to publicly discuss vulnerability findings once mitigated, and that Microsoft will support said efforts through blogs, podcasts and videos. This, he said, is in line with the company's approach to coordinated disclosure.

"As part of our Secure Future Initiative (SFI), we will transparently share critical vulnerabilities through the Common Vulnerabilities and Exposures (CVE) program, even if they require no customer action," Gallagher said. "Learnings from the Zero Day Quest will be shared across Microsoft to help improve cloud and AI security -- by default, by design, and in operations."

Microsoft's SFI was introduced following a growing chorus of public criticism over the company's cybersecurity practice in recent years. One of the chief complaints from security researchers and vendors alike was Microsoft's lack of transparency around product vulnerabilities, particularly in cloud services. Infosec professionals accused the tech giant of downplaying vulnerabilities, silently patching cloud flaws and withholding technical details of significant threats.

In addition to Zero Day Quest, Microsoft announced the general availability of Microsoft Security Exposure Management, which is designed to provide customers with full visibility of their IT assets and attack surfaces. The product combines Microsoft's threat intelligence with signals from third-party partners, such as Rapid7, ServiceNow, Qualys and Tenable, to identify and mitigate potential threats.

Microsoft also unveiled several AI-related security features, including Data Loss Prevention for Microsoft 365 Copilot, which is now in public preview, as well as Data Security Posture Management, which the company said will enable customers to proactively identify data risks and receive relevant posture recommendations.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.