Microsoft is offering up to $5 million to security researchers participating at the Zero Day Quest hacking competition, set to take place in spring 2026.
Zero Day Quest 2026 will be the second installment of the live hacking competition, after the tech giant paid out $1.6 million for vulnerability research as part of this year’s event.
Between August 4 and October 4, 2025, Microsoft is accepting submissions for vulnerabilities in Microsoft Azure, Copilot, Dynamics 365 and Power Platform, Identity, and M365, as part of the Zero Day Quest Research Challenge.
Critical-severity vulnerabilities and high-impact scenarios uncovered during the challenge are eligible for a +50% bounty multiplier, the tech giant announced.
Participating researchers will have the chance to qualify for the invite-only live hacking event, which will be held at Microsoft’s Redmond campus in spring 2026.
“This event will bring together the world’s leading security researchers — those who have demonstrated exceptional impact through their research — to collaborate directly with Microsoft product teams and the Microsoft Security Response Center (MSRC),” the company says.
Microsoft is also offering training sessions from the AI Red Team, MSRC, and Dynamics teams to all Zero Day Quest participants, and encourages them to share details on their findings publicly once the identified issues have been patched.
“As part of our Secure Future Initiative (SFI), we will transparently share critical vulnerabilities through the CVE program, even if no customer action is required. Learnings from the Zero Day Quest will be shared across Microsoft to help improve Cloud and AI security in alignment with SFI’s core principles: securing by default, by design, and in operations,” the company notes.
The Zero Day Quest contest is subject to the terms of Microsoft’s bug bounty program, and additional terms and conditions for both the challenge and the exclusive event. Instructions on how to submit reports can be found on the MSRC Researcher Portal.
Related: Microsoft Boosts .NET Bounty Program Rewards to $40,000
Related: The UK Brings Cyberwarfare Out of the Closet
Related: Report Shows How Long It Takes Ethical Hackers to Execute Attacks
Related: US State Department Launches Cyberspace and Digital Diplomacy Bureau
