Microsoft announced today at its Ignite annual conference in Chicago, Illinois, that it's expanding its bug bounty programs with Zero Day Quest, a new hacking event focusing on cloud and AI products and platforms.
The Zero Day Quest starts today with a research challenge where submissions of vulnerabilities for specific scenarios can earn multiplied bounty awards and may qualify for the 2025 onsite hacking event (invite only) in Redmond, Washington. This challenge is open to everyone and will run from November 19, 2024, through January 19, 2025.
To further advance AI security, starting today, Microsoft says it will also offer double bounty awards for AI vulnerabilities reported by security researchers while also providing them with direct access to the Microsoft AI engineers and the company's AI Red Team.
"This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI," said Tom Gallagher, VP of Engineering at the Microsoft Security Response Center (MSRC).
"Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers– bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe."
This is part of Microsoft's Secure Future Initiative (SFI), a cybersecurity engineering effort launched in November 2023 to boost cybersecurity protection across its products just in time to get ahead of a scathing report issued by the Cyber Safety Review Board of the U.S. Department of Homeland Security saying that the company's "security culture was inadequate and requires an overhaul."
As BleepingComputer reported, Microsoft found itself on the receiving end of Chinese hackers' attacks in May, when the attackers stole over 60,000 emails from U.S. State Department accounts after breaching the company's cloud-based Exchange email platform.
Security flaws affecting multiple other Microsoft products and platforms have also been used in widespread attacks. For instance, in recent years, many threat actors (including ransomware gangs) have abused ProxyShell, ProxyNotShell, and ProxyLogon vulnerabilities to target tens of thousands of Exchange servers exposed online.
"As part of our Secure Future Initiative (SFI), we will transparently share critical vulnerabilities through the Common Vulnerabilities and Exposures (CVE) program, even if they require no customer action," Gallagher added.
"Learnings from the Zero Day Quest will be shared across Microsoft to help improve cloud and AI security - by default, by design, and in operations."
Today, Microsoft also shared more information on the new administrator protection security feature, available in preview on Windows 11 devices and designed to block access to critical system resources using extra Windows Hello authentication prompts.
"Since launching SFI, we've focused the equivalent of 34,000 full-time engineers on the highest-priority security challenges," added David Weston, the company's Vice President for Enterprise and OS Security, today.