Microsoft is creating an in-person hacking event, Zero Day Quest, which it says will be the largest of its kind. The event will build upon Microsoft’s existing bug bounty program, and incentivize research into high-impact security flaws that can affect the software powering cloud and AI workloads.
“This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI,” explains Tom Gallagher, VP of engineering at Microsoft’s security response center. “Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers — bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe.”
The Zero Day Quest starts today, with Microsoft accepting submissions for research that is eligible for bounty awards. These submissions will qualify security researchers for a spot at the in-person hacking event at Microsoft’s headquarters in Redmond, Washington in 2025.
Microsoft is doubling the awards that it pays out for AI bounties, and it’s also offering security researchers direct access to Microsoft AI engineers and the company’s AI Red Team — a group of experts that probe Microsoft’s AI systems for failures.
“As part of our ongoing commitment to transparency, we will share the details of the bugs once they are fixed so the whole industry can learn from them — after all, security is a team sport,” says Vasu Jakkal, corporate vice president of security at Microsoft. Any critical vulnerabilities will be shared through the Common Vulnerabilities and Exposures (CVE) program, and Microsoft plans to share any learnings across Microsoft to improve its cloud and AI security.
This new security event comes after Microsoft has embarked on its largest ever security transformation. Microsoft made security its number one priority for every employee earlier this year, following years of security issues and a scathing report from the US Cyber Safety Review Board.
Microsoft Security Exposure Management is also launching today, providing defenders with a graph-based view of a business’ login credentials, permissions, and other security-related elements that can identify potential attack vectors.