Microsoft Zero Day Quest Live Hacking Event 2025
ZERO DAY QUEST OVERVIEW
As announced in the MSRC Blog, Securing AI and Cloud with the Microsoft Zero Day Quest, the Microsoft Zero Day Quest invites security researchers to discover and report high-impact vulnerabilities in Microsoft Copilot and Cloud Bounty Programs: Microsoft Azure, Microsoft Identity, M365, and Microsoft Dynamics 365 and Power Platform. This new program provides new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers to share, learn, and build community as we work to keep everyone safe.
Zero Day Quest has two distinct opportunities:
- A Research Challenge (open to everyone) - Closed
- An onsite Live Hacking Event (invite only) - Closed
The Zero Day Quest Live Hacking Event is Microsoft’s inaugural security research-focused event and celebration to be hosted onsite at the Microsoft Campus in Redmond, Washington in April, 2025. This event will foster new and deepening existing partnerships with MSRC, product teams, and external researchers, raising the security bar for all.
This is an invite-only event extended to Microsoft’s top 10 ranked researchers from each of the 2024 Quarterly and 2024 Annual Azure, Dynamics, and Office Leaderboards. Researchers who were not ranked on leaderboards were also given the opportunity to qualify for the event through the Zero Day Quest Research Challenge which ran between November 19, 2024 and January 19th, 2025.
NOTE: Researchers who have not received an invitation to this event are not eligible for the awards listed below.
LIVE HACKING EVENT SCOPE
The Zero Day Quest Live Hacking Event was invite-only and ran from 12:00 AM Pacific Time, March 3, 2025, through 11:59 AM Pacific Time, April 3, 2025.
The Live Hacking Event will be subject to the terms of our bounty program, outlined in the Microsoft Bounty Terms and Conditions, our bounty Safe Harbor policy, and additional terms and conditions for the Research Challenge. First-time researchers are encouraged to review the MSRC Researcher Resource Center as well as the definitions surrounding eligible submissions, in-scope, and out-of-scope vulnerabilities before getting started. This information can be found in the respective bug bounty programs listed below.
Bounty Programs in Scope:
OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES
Please refer to the out-of-scope sections of the following bounty programs, Copilot, Azure, Identity, M365, Dynamics & Power Platform.
BOUNTY AWARD BONUSES (closed)
Bounty multipliers for the categories below will be applied to valid, Important or Critical severity issues that align with the existing Microsoft Copilot, Azure, Identity, M365, and Dynamics & Power Platform Programs. These bonuses are effective only for the duration of the Live Hacking Event.
Scenario | Amount | Eligible Bounty Programs |
---|---|---|
Prompt injection leading to exfiltration of user's data without any user interaction |
+100%
|
Microsoft Copilot
|
Remote code execution through untrusted input (CWE-94 “Improper Control of Generation of Code ('Code Injection')”) |
+100%
|
Microsoft Copilot
|
Unauthorized Cross-tenant and cross-identity sensitive data1 leakage (CWE-200 “Exposure of Sensitive Information to an Unauthorized Actor”) 1Sensitive data includes, without limitation, personal information, emails, or chats. |
+100%
|
Microsoft Copilot
|
“Confused deputy” vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 “Server-Side Request Forgery (SSRF)”) |
+100%
|
Microsoft Copilot
|
All other vulnerabilities in Microsoft Copilot |
+50%
|
Microsoft Copilot
|
Remote Code Execution |
+50%
|
All ZDQ Programs
|
Multifactor Authentication Bypass (MFA) |
+100%
|
All ZDQ Programs
|
Authentication Bypass (non-MFA) |
+50%
|
All ZDQ Programs
|
Authorization Bypass |
+50%
|
All ZDQ Programs
|
Cross Tenant Information Disclosure or Elevation of Privilege |
+50%
|
All ZDQ Programs
|
All existing "High Impact Scenarios" |
+20%
|
Azure, M365, Dynamics 365 & Power Platform
|
Server Side Request Forgery (SSRF) |
+20%
|
Azure
|
Cross Site Scripting with CSP Bypass
|
+20%
|
Dynamics 365 & Power Platform
|
Vulnerabilities in select Public Preview Products:
o Microsoft Graph Data Connect o Azure HDInsights on Azure Kubernetes Service (AKS) o Azure Compute Fleet o Azure Kubernetes Fleet Manager o Azure Managed Confidential Consortium Framework (CCF) o Microsoft Azure Data Manager for Agriculture o Microsoft Copilot in Azure o Azure Blueprints o Update Management Center o Azure Storage Actions
o Power Platform Managed Identity o Dataverse Connectors Subnet Delegation
o Tasks – Multi-Agent Runtime Service o Office HRD o M365 Home Pages o Office Calc – Office Add-ins – Script Lab o Unified Purview Portal for Compliance + Governance
|
+20%
|
Azure, M365, Dynamics 365 & Power Platform
|
*If you submit a valid issue that is eligible for both General Award multipliers and High Impact Scenario multipliers, then you will receive the High Impact Scenario multiplier.
NOTE: Please refer to specific bounty program terms for eligible in-scope vulnerabilities and reward amounts. These multipliers are valid only for the invite-only Zero Day Quest Live Hacking Event.

Zero Day Quest: Flash challenges with awards up to $100K! (closed)
We’re launching a series of time-sensitive challenges with hidden flags for our researchers to uncover! The first researcher to capture a flag in any of the scenarios listed below will earn an exclusive one-time award. This award is standalone and will not be combined with the base bounty and multiplier.
The SharePoint Online and Exchange Online flash challenges ran from 09:00 AM Pacific Time, March 20, 2025, through 11:59 AM Pacific Time, April 3, 2025.
The Copilot flash challenge ran from 10:00 AM Pacific Time on March 26, 2025, through 11:59 AM Pacific Time on April 3, 2025.
TARGET INFORMATION
- Products: SharePoint Online and Exchange Online
- Users in this tenant have Teams Enterprise + Microsoft 365 E5 licenses.
- Your credentials and high-level tenant details have been emailed to you directly!
- Product: Copilot
- Access Microsoft Copilot here and log in or register for a personal account.
OUT OF SCOPE
For the SharePoint Online and Exchange Online challenges, please refer to the out-of-scope section for the M365 Bounty Program, in addition to the following:
- Cross Site Scripting vulnerabilities
- Vulnerabilities found in on-prem versions of the application
- Vulnerabilities requiring user interaction or significant preconditions
- Vulnerabilities relying on third party code or extensions
- Vulnerabilities relying upon email spoofing
For the Copilot challenge, please refer to the out-of-scope section for the Copilot Bounty Program.
Scenario | Amount |
---|---|
Authentication Bypass - Cross Tenant | $100k
|
$100,000
|
Authorization Bypass - Within Tenant
|
$50,000
|
SQL Injection
|
$50,000
|
Remote Code Execution
|
$25,000
|
Arbitrary File Write
|
$25,000
|
High-Privileged Entra Token Leak
|
$15,000
|
Scenario | Amount |
---|---|
Authentication Bypass - Cross Tenant
|
$100,000
|
Authorization Bypass - Within Tenant
|
$50,000
|
Remote Code Execution
|
$25,000
|
Authorization Bypass - Within Tenant
|
$15,000
|
Scenario | Amount |
---|---|
Access another user’s conversation history
|
$50,000
|
ELIGIBLE SUBMISSIONS (closed)
The goal of the bounty program is to uncover significant technical vulnerabilities that have a direct and demonstrable impact on the security of our customers using the latest version of the application.
Vulnerability submissions must meet the following criteria to be eligible for bounty awards:
- Identify a vulnerability that was not previously reported to, or otherwise known by, Microsoft.
- Such vulnerability must be of previously unreported Critical or Important severity and must reproduce in one of the in-scope products or services.
- Include clear, concise, and reproducible steps, either in writing or in video format, providing our engineering team with the information necessary to quickly reproduce, understand, and fix the issues
Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria. For additional details, please refer to the specific Microsoft Copilot, Microsoft Azure, Microsoft Identity, M365, and Microsoft Dynamics 365 and Power Platform bounty program page.
HOW TO SUBMIT
Submit through the MSRC Researcher Portal and follow the instructions.
Please include the following in your submissions:
- ZDQ in the title of your submission
- Targeted bonus categories
- Full proof of concepts
- Videos will assist in increasing the timeliness of the assessment of your submissions
RULES OF ENGAGEMENT
If you discover customer or Microsoft data while conducting your research, or are unclear if it is safe to proceed, please stop and contact us at bounty@microsoft.com. The following are not permitted:
- Gaining access to any data that is not wholly your own.
- For example, you are allowed and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data that is not your own.
- Moving beyond “proof of concept” repro steps for server-side execution issues
- For example, proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not).
- Any kind of Denial of Service testing.
- Performing automated testing of services that generates significant amounts of traffic.
- Attempting phishing or other social engineering attacks against others, including our employees. The scope of this program is limited to technical vulnerabilities in the specified Microsoft Online Services.
- Using our services in a way that violates the terms for that service.
Please see the specific bounty program for additional details. Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.
RESOURCES FOR PROGRAM PARTICIPANTS
To help you with your Zero Day Quest submissions, check out sessions from the AI Red Team, Microsoft Security Response Center, and Dynamics teams:
- Learn to Red Team AI Systems Using PyRIT
- Microsoft's Bug Bounty Program and AI Research
- Security Research in Copilot Studio
ADDITIONAL TERMS AND CONDITIONS FOR THE LIVE HACKING EVENT
- If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
- If a duplicate report provides us with new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission.
- If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program.
- Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.
- If the onsite Live Hacking Event is canceled for any reason, Microsoft will not seek reimbursement for any travel expenses.
- If any of the 45 participants selected to advance to the onsite Live Hacking Event in Redmond, WA are minors in their legal place of residence, they will be required to travel with a parent/legal guardian. Travel subject to availability and must be completed on dates specified by Microsoft or the opportunity will be forfeited and awarded to the next runner up. Any expenses not described above are the responsibility of the traveler(s) including but not limited to taxes, ground transportation, gratuities, and room charges. Winner and any guests must travel on same itinerary. If included, winner’s travel companion must execute a Liability/Publicity Release prior to issuance of travel documents. If included, travel companion must be the age of majority in their legal place of residence, or the parent/legal guardian of the winner. Winner and any guests are responsible for providing all required travel documents, including, but not limited to government issued ID, Visa, or Passport. Once made, no cancellation or change of reservation allowed. If winner lives within 300 miles of travel destination, Sponsor reserves the right to provide alternative transportation. Actual value depends on date/time/destination, and difference between actual value and stated value will not be awarded.
- For questions regarding the Research Challenge and/or Microsoft’s bounty rules, please email bounty@microsoft.com.
- For questions regarding the Live Hacking Event or to find out who won, please email bluehat@microsoft.com with the subject line “Microsoft Zero Day Quest Live Hacking Event.”
REVISION HISTORY
- March 3, 2025: The Zero Day Quest Live Hacking Event launched.
- March 20, 2025: Added Flash Challenges for SharePoint Online and Exchange Online.
- March 26, 2025: Added Flash Challenge for Copilot.
- August 4, 2025: Moved Zero Day Quest 2025 content to seaprate page.