Microsoft Zero Day Quest Live Hacking Event

As announced in the MSRC blog, Microsoft Zero Day Quest invites security researchers to discover and report high-impact vulnerabilities in Microsoft Azure, Microsoft Copilot, Microsoft Dynamics 365 and Power Platform, Microsoft Identity, and M365 Bounty Programs. Zero Day Quest provides new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers to share, learn, and build community as we work to keep everyone safe.

This challenge has two distinct opportunities:

• A Research Challenge (open to everyone)
• A Live Hacking Event (invite only)

The Live Hacking Event is Microsoft’s annual celebration of security research, hosted at Microsoft’s Redmond campus in Spring 2026. This event will foster new partnerships and strengthen existing ones among MSRC, product teams, and external researchers, raising the security bar for all.

Full details about the Zero Day Quest Research Challenge can be found here.

The Zero Day Quest Live Hacking Event is an invite-only event extended to up to 45 MSRC security researchers who have either:

• Submitted >1 valid case to the MSRC and received a critical severity or high impact scenario bounty award in the last year that focus on cloud or AI research areas; OR
• qualified based on their submissions to the Zero Day Quest Research Challenge, which runs between August 4 to October 4, 2025. The top researchers, by bounty awarded amount, for cases submitted under the eligible scope during the Research Challenge, will be invited to participate in the Zero Day Quest Live Hacking Event.

Visit the MSRC Researcher Portal and follow the instructions to submit your reports.

Microsoft is not responsible for excess, lost, late, or incomplete submissions. If disputed, submissions will be deemed submitted by the “authorized account holder” of the email address used to enter. The “authorized account holder” is the natural person assigned to an email address by an internet or online service provider, or other organization responsible for assigning email addresses.

Researchers who submit eligible submissions will receive bounty awards in the amounts specified in the terms of the relevant bounty program. Once submitted, your submission will be reviewed by the Microsoft Security Response Center to determine if they are eligible for a bounty award, based on the judgment criteria specified in the relevant bounty program.

Bounty awards will be awarded in accordance with the Microsoft Bounty Terms and Conditions.

Microsoft will reimburse participants for the cost of round-trip economy airfare from the major airport closest to the participant’s home, up to $2,000 USD for international travel and up to $750 USD for travel within North America (including Canada and Mexico), subject to the following conditions:

• Reimbursement is limited to the base fare and standard taxes only. Optional add-ons, including seat upgrades, baggage fees, early boarding, or other ancillary charges, will not be reimbursed.
• If a participant lives within 300 miles of the event location, Microsoft reserves the right to provide alternative transportation. Actual value depends on date/time/destination, and any difference between actual value and stated value will not be awarded.
• Participants are responsible for securing all required travel documents, including but not limited to government-issued ID, Visa, or Passport. Once made, no cancellation or change of reservation is allowed.
• Travel must be completed on dates specified by Microsoft or the opportunity will be forfeited and awarded to the next runner-up.
• Reimbursement will be issued only after the event has concluded and a valid, itemized receipt is submitted to bluehat@microsoft.com. If the flight was not purchased in USD, reimbursement will be calculated based on the exchange rate at the time of purchase.

Microsoft will provide hotel accommodations for up to five nights for international travelers and up to four nights for domestic travelers (within North America). Final accommodations are subject to change based on event scheduling and travel logistics. Microsoft will only provide accommodations during the official dates of the event. Any additional nights outside of those dates must be paid for by the participant.

If any of the selected participants are minors in their legal place of residence, they must be accompanied by a parent or legal guardian. Microsoft will cover economy airfare for the guardian and shared hotel accommodation. If a separate hotel room is requested, the additional cost must be covered by the traveler. Minor and parent/guardian must travel on same itinerary. If included, minors travel companion must execute a Liability/Publicity Release prior to issuance of travel documents.

Any expenses not explicitly described above are the responsibility of the participant(s), including but not limited to taxes, ground transportation, gratuities, meals, and room charges. If the Live Hacking Event is canceled for any reason, Microsoft will not seek reimbursement for any travel or accommodation expenses.

To maintain the security and integrity of our services, all participants in Microsoft's bounty programs must strictly adhere to the Microsoft Security Testing Rules of Engagement (ROE). These guidelines are crafted to enable security researchers to assess the security of Microsoft Online Assets effectively while ensuring that other customers and infrastructure remain unaffected. For comprehensive details about these rules, please consult the Microsoft ROE website.

If you accidentally access unauthorized data, stop immediately. Notify MSRC with the details, delete the data, and acknowledge this in any bug bounty report. Do not share the accessed information.

Engaging in the disruption, compromise, access, storage, or damage of data or property without explicit written consent from the owner, or adversely affecting Microsoft services for other users, is strictly prohibited and will result in disqualification. Specific prohibited activities include but are not limited to:

• Accessing customer or Microsoft data and testing customer systems without explicit permission: Any interaction with data or systems that you do not own or have explicit permission to access is prohibited. This includes accessing customer data, Microsoft data, or testing systems that belong to customers.
  • Examples: Extracting training data, model architectures, model weights, training code, customer documents, metadata, names, configuration files, system logs, or any other unauthorized data.
• Using credentials or other secrets that are not your own. This includes any credentials or secrets that you do not own, regardless of how they are obtained, including those that were leaked publicly.
• Interacting with storage accounts that are not part of your subscription or that you do not own.
• Performing denial-of-service testing.
• Executing network-intensive fuzzing or automated testing that generates excessive traffic.
• Conducting phishing or social engineering attacks targeting Microsoft employees or using Microsoft services to perform phishing or other social engineering attacks against others.

Please see the specific bounty program for additional details. Even with these restrictions in place, Microsoft retains the authority to respond to any actions conducted on its networks that are deemed malicious in nature.