Microsoft Bug Bounty Program

Microsoft strongly believes close partnerships with the global security researcher community make customers more secure. Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process and sharing them under Coordinated Vulnerability Disclosure (CVD). Each year we partner together to better protect billions of customers worldwide.

If you are a security researcher that has found a vulnerability in a Microsoft product, service, or device we want to hear from you. If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you may receive a bounty award according to the program descriptions. Even if it is not covered under an existing bounty program, we will publicly acknowledge your contributions when we fix the vulnerability. All vulnerability submissions are counted in our Researcher Recognition Program and Researcher Leaderboard, even if they do not qualify for bounty award.

Click here to submit a security vulnerability

The Microsoft Bug Bounty Programs are subject to the legal terms and conditions outlined here, and our bounty Safe Harbor policy.

Let the hunt begin !

Each bug bounty program has its own scope, eligibility criteria, award range, and submission guidelines to help researchers pursue impactful research without causing unintended harm, though they generally share the same high level requirements:

Cloud Programs

Program Name	Start date	Last Updated	End date	Eligible entries	Bounty Range
Microsoft Azure	2014-09-23	2021-10-18	Ongoing	Vulnerability reports on Microsoft Azure cloud services	Up to $60,000 USD
Microsoft Identity	2018-07-17	2019-10-23	Ongoing	Vulnerability reports on Identity services, including Microsoft Account, Azure Active Directory, or select OpenID standards.	Up to $100,000 USD
Xbox	2020-01-30	2020-01-30	Ongoing	Vulnerability reports on the Xbox Live network and services	Up to $20,000 USD
M365	2014-09-23	2019-08-05	Ongoing	Vulnerability reports on applicable Microsoft cloud services, including Office 365	Up to $20,000 USD
Microsoft Azure DevOps Services	2019-01-17	2019-01-17	Ongoing	Vulnerability reports on applicable Microsoft Azure DevOps Services	Up to $20,000 USD
Microsoft Dynamics 365 and Power Platform	2019-07-17	2022-04-14	Ongoing	Vulnerability reports on applicable Microsoft Dynamics 365 and Power Platform applications	Up to $20,000 USD
Microsoft .NET	2016-09-01	2020-11-20	Ongoing	Vulnerability reports on .NET Core and ASP.NET Core RTM and future builds (see link for program details)	Up to $15,000 USD
Microsoft AI	2023-10-12	2023-10-12	Ongoing	Vulnerability reports on the AI-powered Bing experiences	Up to $15,000 USD
Microsoft Defender	2023-11-21	2023-10-21	Ongoing	Vulnerability reports on Microsoft Defender for Endpoint APIs	Up to $20,000 USD

Platform Programs

Program Name	Start Date	Last Updated	End Date	Eligible Entries	Bounty Range
Microsoft Hyper-V	2017-05 -31	2020-04-13	Ongoing	Critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V	Up to $250,000 USD
Microsoft Windows Insider Preview	2017-07-26	2020-08-27	Ongoing	Critical and important vulnerabilities in Windows Insider Preview	Up to $100,000 USD
Microsoft Applications and On-Premises Servers	2021-03-24	2022-04-05	Ongoing	Critical and important vulnerabilities in Microsoft Applications and On-Premises Servers	Up to $30,000 USD
Windows Defender Application Guard	2017-07-26	2017-07-26	Ongoing	Critical vulnerabilities in Windows Defender Application Guard	Up to $30,000 USD
Microsoft Edge (Chromium-based)	2019-08-20	2021-10-21	Ongoing	Critical, important, and moderate vulnerabilities in Microsoft Edge (Chromium-based) Dev, Beta, and Stable channels	Up to $30,000 USD
Microsoft 365 Insider	2017-03-15	2024-02-27	Ongoing	Vulnerabilities on Microsoft 365 Insider	Up to $15,000 USD

Defense & Grant Programs

Program Name	Start Date	Last Updated	End Date	Eligible Entries	Bounty Range
Mitigation Bypass and Bounty for Defense	2013-06-26	2018-10-02	Ongoing	Novel exploitation techniques against protections built into the latest version of the Windows operating system. Additionally, defensive ideas that accompany a Mitigation Bypass submission.	Up to $100,000 USD (plus up to an additional $100,000)
Grant: Microsoft Identity	2020-01-09	2020-04-09	Ongoing	This project grant awards up to $75,000 USD for approved research proposals that improve the security of the Microsoft Identity solutions in new ways for both Consumers (Microsoft Account) and Enterprise (Azure Active Directory).	Up to $75,000 USD
SIKE Cryptographic Challenge	2021-06-09	2021-06-09	Ongoing	This challenge awards up to $50,000 USD for solutions that break the SIKE algorithm for two sets of toy parameters.	Up to $50,000 USD

Additional resources for security researchers

We have pulled together additional resources to help you understand our bounty program offerings and even help you get started on the path or to higher payouts. We truly view this as a collaborative partnership with the security community. Your success in this program helps further our customer’s security and the ecosystem.

Frequently Asked Questions

What to Expect When Reporting Vulnerabilities to Microsoft

Example of High Quality Reports

Researcher Recognition Program

Microsoft Bounty Legal Safe Harbor

Windows Security Servicing Criteria

Microsoft Vulnerability Severity Classification for AI Systems

Microsoft Vulnerability Severity Classification for Online Services

Directory of Azure Services

Microsoft Documentation for end users, developers, and IT professionals

Microsoft Security Research & Defense Blog

HackerOne’s Hacker101 training

Bugcrowd University

Out of Bounty Scope

Some submission types are generally not eligible for Microsoft bounty awards. Please refer to our bounty programs for additional information on eligible submission, vulnerability, or attack methods.