Microsoft paid a record $17 million to 344 security researchers across 59 countries through its bug bounty program between July 2024 and June 2025, with researchers submitting 1,469 eligible vulnerability reports that helped resolve over 1,000 potential security vulnerabilities.
Microsoft distributed $17 million in bounty payments to security researchers over the past 12 months, marking the highest annual payout in the company's bug bounty program history. The 344 researchers from 59 countries submitted 1,469 eligible vulnerability reports during this period. The highest individual bounty reached $200,000. These submissions helped Microsoft resolve more than 1,000 potential security vulnerabilities across various products and platforms, including Azure, Microsoft 365, Dynamics 365, Power Platform, Windows, Edge, and Xbox. This represents a slight increase from the previous year when Microsoft paid $16.6 million to 343 security researchers from 55 countries.
Microsoft expanded several bounty programs this year. The Copilot bounty program now includes traditional online service vulnerabilities. The Dynamics 365 and Power Platform programs introduced a new AI category. The Windows program added awards for remote denial-of-service attacks and local sandbox escape scenarios. The Identity bounty program now covers more APIs and domains. The Defender program added Microsoft Defender for Identity (MDI), Microsoft Defender for Office (MDO), and Microsoft Defender for Cloud Applications (MDA). Microsoft also announced higher payouts for moderate-severity Microsoft Copilot (AI) security flaws, increased rewards to $40,000 for some .NET and ASP.NET Core vulnerabilities, and raised bounty awards for Power Platform and Dynamics 365 AI flaws.
"By incentivizing independent researchers to identify vulnerabilities in high-impact areas, including the rapidly evolving field of AI, we're able to stay ahead of emerging threats," Microsoft stated in its annual bounty program review.
"Through Coordinated Vulnerability Disclosure, these researchers play a critical role in reinforcing the trust that millions of users place in Microsoft technologies every day."
Microsoft described its upcoming Zero Day Quest hacking contest as the "largest hacking event in history," offering up to $5 million in bounty awards.
Critical flaws that allow remote code execution, privilege escalation, or AI manipulation usually command the top rewards.
Most of Microsoft’s bug bounty programs are open to the public, but some specialized contests require invitations or prior contributions.
CVD ensures researchers report flaws privately so companies can patch them before attackers exploit them.
AI vulnerabilities often involve data poisoning, model manipulation, or prompt injection rather than classic code exploits.