Come And Hack Us Then, Microsoft Says, Putting $4 Million Up For Grabs
While Google might be better known for having some of the finest security researchers and hackers helping to keep its users safe from malicious threats, Microsoft also has security teams working around the clock to keep the threat actors out. Now Tom Gallagher, the vice president of engineering at the Microsoft Security Response Center, has issued a challenge to all hackers out there: come and have a go if you think you’re good enough. Here’s what you need to know about the new Zero Day Quest bug bounty challenge that is designed to incentivize research of the highest impact, with a cool $4 million up for grabs.
Microsoft’s Zero Day Quest To Secure AI And The Cloud
Like most other organizations worth their salt, especially those in the technology sector, Microsoft partners with the wider security community through bug bounty programs to both identify and mitigate vulnerabilities. In a Nov. 19 announcement, Gallagher confirmed the latest move to expand the Microsoft bug bounty program with the launch of what’s it’s calling the Zero Day Quest. The largest hacking event of its kind, according to Gallagher, Zero Day Quest will include $4 million of potential rewards for vulnerabilities impacting cloud and AI.
With immediate effect, the Zero Day Quest begins with a research challenge involving, Gallagher said, “vulnerability submissions within targeted scenarios during the event are eligible for multiplied bounty awards.” Those hackers taking part in this challenge can also qualify for a place in the onsite hacking event to take place at Microsoft’s headquarters in Redmond in 2025.
Gallagher also announced the commencement of double AI bounty payments, direct access to the Microsoft AI engineers developing secure solutions as well as the Microsoft AI red team penetration testers.
Zero Day Quest Hacking Rules Of Engagement For AI, Cloud And All
Microsoft has published the rules of engagement for any hackers wanting to participate. Hackers who are unsure if it is safe to proceed, having discovered customer or Microsoft data, for example, should stop and contact bounty@microsoft.com immediately.
The following are out-of-scope:
- Gaining access to any data that is not wholly your own.
- Moving beyond “proof of concept” repro steps for server-side execution issues.
- Any kind of Denial of Service testing.
- Performing automated testing of services that generates significant amounts of traffic.
- Attempting phishing or other social engineering attacks against others, including our employees.
“The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services,” Microsoft said.
This event is not just about finding vulnerabilities, Gallagher concluded, “it’s about fostering new and deepening existing partnerships between the Microsoft Security Response Center, product teams, and external researchers,” and if that means more secure cloud and AI services, all the better.