Zero Day Quest 2026: $2.3M awarded for security vulnerability research

Protecting customers is at the core of Zero Day Quest. During the 2026 live hacking event, Microsoft partnered with the global security research community, representing more than 20 countries and a wide range of professional backgrounds, from high school students to college professors. Together, they helped identify and remediate more than 80 high-impact Cloud and AI security vulnerabilities, reducing real-world risk and strengthening protections across Microsoft products and services.

The Microsoft Security Response Center (MSRC) constantly works to uncover critical vulnerabilities early, accelerate remediation, and protect customers. Zero Day Quest combines an open qualifying research challenge with a live hacking event, enabling deeper collaboration with Microsoft teams and targeted research on the classes of issues that matter most to customer security.

Across the qualifying research challenge and the live hacking event, researchers submitted almost 700 cases, resulting in $2.3 million in awards.

Zero Day Quest plays a critical role in Microsoft's broader security strategy by not only enabling rapid mitigation of vulnerabilities, but also serving as a feedback mechanism for the Secure Future Initiative (SFI). By bringing researchers together with Microsoft security and engineering teams, the program helps surface classes of issues that can inform and evolve SFI requirements, ensuring similar weaknesses are identified and addressed earlier in the development lifecycle. These learnings are shared across teams to improve remediation planning, strengthen detection and isolation strategies, and enhance protections across identity, tenant, and service boundaries.

Many of the findings showed how weaknesses in identity controls or tenant isolation could allow issues identified within authorized test environments to impact other tenants if combined with execution or network-level vulnerabilities. Researchers conducted all testing within authorized environments in accordance with Microsoft's Rules of Engagement, demonstrating potential impact without accessing customer data or other tenant systems.

Within these constraints, researchers identified critical paths involving credential exposure, SSRF chains, and cross-tenant access. These findings reinforce the need for layered defenses and strong isolation boundaries across Microsoft's cloud and AI services, and underscore the importance of addressing upstream control gaps earlier in the development lifecycle in alignment with Secure Future Initiative priorities.

Zero Day Quest remains a core part of Microsoft's broader bug bounty program and our ongoing partnership with the security research community. We continue to encourage responsible reporting through Coordinated Vulnerability Disclosure (CVD), and we support public write-ups after mitigation to promote learning across the ecosystem. As part of our commitment to transparency, we issue CVEs for critical issues and apply insights from Zero Day Quest to improve security by design, by default, and in operations.

We're grateful for the continued collaboration with the global security research community and look forward to building on this work together to raise the security bar for everyone.

Tom Gallagher, VP Engineering, MSRC