Microsoft just launched Zero Day Quest, a major new hacking initiative aimed at bolstering security for cloud and AI technologies, backed by $4 million in awards. The company is issuing a public call to cybersecurity experts and hobbyists worldwide to find vulnerabilities in Microsoft's AI, Azure, and other critical cloud platforms.
Why it matters: Microsoft's largest-ever bug bounty event underscores a growing focus on proactive security around AI system and cloud infrastructure, especially as both technologies become increasingly critical to business operations and more deeply integrated into our daily lives.
The big picture: The Zero Day Quest combines a public research challenge with an invite-only hacking event, doubling rewards for AI-related vulnerabilities and offering direct access to Microsoft's security teams.
How it works:
- The research challenge runs from November 19, 2024, through January 19, 2025
- Researchers can target five key areas: Microsoft AI, Azure, Identity, M365, and Dynamics 365/Power Platform
- Critical vulnerabilities in remote code execution and privilege elevation get 50% bonus rewards
- All AI-related bounties are permanently doubled
What's different: Researchers who submit high-impact findings can not only earn doubled bounty awards for AI-related vulnerabilities but also qualify for an exclusive hacking event at Microsoft’s headquarters in Redmond, WA, next year.
- Microsoft is encouraging collaboration by giving researchers access to its AI engineers and AI Red Team, creating a unique chance to boost security research on the latest tools and technologies.
- The top 45 researchers from the challenge will be invited to Redmond for a special onsite event, with Microsoft covering expenses.
Between the lines: Microsoft is particularly focused on AI security, offering special training sessions with their AI Red Team and access to PyRIT (Python Risk Identification Toolkit for Generative AI), their open-source testing framework.
What they're saying: "This event is not just about finding vulnerabilities; it's about fostering new and deepening existing partnerships," says Tom Gallagher, VP of Engineering at Microsoft Security Response Center.
What's next: Microsoft says it will publicly share findings from the program through its Common Vulnerabilities and Exposures system, even for issues requiring no customer action.