Microsoft on Tuesday announced that 344 security researchers in 59 countries received $17 million in rewards through its bug bounty programs over the past year.
This is the highest total bounty the Redmond-based tech giant has distributed in a single year since launching its bug bounty programs in 2018, and brings the total paid out to $92.5 million.
Last year, the company said it handed out $16.6 million in rewards between July 1, 2023, and June 30, 2024, and the amount was roughly $13 million every year between 2020 and 2023.
The $1.6 million it paid out during the Zero Day Quest qualifying research challenge was also included in the 2025 total. Microsoft received over 600 vulnerability submissions as part of the event.
This week, the company announced it is now accepting submissions for the 2026 research challenge, and that it is betting up to $5 million in rewards for bugs in Azure, Copilot, Dynamics 365 and Power Platform, Identity, and M365.
Over the past year, the tech giant has updated its bug bounty programs to expand coverage to more products and services, and to align the bounty initiatives with emerging threats and security challenges.
The Copilot bounty program now covers more consumer products and offers higher incentives to researchers. Additional APIs and domains that secure Enterprise accounts were added to the Identity bounty program, and Viva Glint, Learning, Pulse, and Feature Access Control are now in scope of the M365 program.
Microsoft also announced the inclusion of Defender for Identity (MDI), Defender for Office (MDO), and Defender for Cloud Applications (MDA) in the Defender bounty program. The company expanded the Dynamics 365 & Power Platform program with an AI category, and refreshed the attack scenario rewards in the Windows bounty program.
“Bounty awards are determined by the severity and potential impact of the reported vulnerability, as well as the clarity, accuracy, and completeness of the submission. We prioritize awards in areas that matter most to our customers, encouraging research that drives meaningful security improvements where it counts most,” Microsoft notes.
Related: Microsoft Boosts .NET Bounty Program Rewards to $40,000
Related: Microsoft’s Project Ire Autonomously Reverse Engineers Software to Find Malware
Related: Google Paid Out $12 Million via Bug Bounty Programs in 2024
Related: Microsoft Offers $5 Million at Zero Day Quest Hacking Contest
