Microsoft Bounty Programs: Microsoft strongly believes close partnerships with researchers make customers more secure. Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process. Each year we partner together to better protect billions of customers worldwide.
If you are a security researcher that has found a vulnerability in a Microsoft product, service, or device we want to hear from you. If your vulnerability report affects a product or service that is within the scope of one of our bounty programs below, you may receive a bounty award according to the program descriptions. Even if it is not covered under an existing bounty program, we will publicly acknowledge your contributions when we fix the vulnerability. All vulnerability submissions are counted in our Researcher Recognition Program and leaderboard, even if they do not qualify for the bounty award.
The Microsoft Bug Bounty Programs are subject to the legal terms and conditions outlined here, and our bounty Safe Harbor policy.
Let the hunt begin!
Our bug bounty programs are divided by technology area though they generally have the same high-level requirements:
We want to award you
We are looking for new
Avoid harm to customer data
Follow co-ord vulnerability disclosure
You might also like How to Move Windows 10 to SSD (Solid-State Drive)
Cloud Programs
| Program Name | Start date | Last Updated | End date | Eligible entries | Bounty Range |
|---|---|---|---|---|---|
| Microsoft Azure | 2014-09-23 | 2019-08-05 | Ongoing | Vulnerability reports on Microsoft Azure cloud services | Up to $300,000 USD |
| 2018-07-17 | 2019-10-23 | Ongoing | Vulnerability reports on Identity services, including Microsoft Account, Azure Active Directory, or select OpenID standards. | Up to $100,000 USD | |
| Xbox | 2020-01-30 | 2020-01-30 | Ongoing | Vulnerability reports on the Xbox network and services | Up to $20,000 USD |
| Microsoft Online Services | 2014-09-23 | 2019-08-05 | Ongoing | Vulnerability reports on applicable Microsoft cloud services, including Office 365 | Up to $20,000 USD |
| Microsoft Azure DevOps Services | 2019-01-17 | 2019-01-17 | Ongoing | Up to $20,000 USD | |
| Microsoft Dynamics 365 | 2019-07-17 | 2019-07-29 | Ongoing | Vulnerablility reports on applicable Microsoft Dynamics 365 applications | Up to $20,000 USD |
| 2016-09-01 | 2018-10-16 | Ongoing | Up to $15,000 USD |
Platform Programs
| Program Name | Start Date | Last Updated | End Date | Eligible Entries | Bounty Range |
|---|---|---|---|---|---|
| Microsoft Hyper-V | 2017-05 -31 | 2019-03-15 | Ongoing | Critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V | Up to $250,000 USD |
| Microsoft Windows Insider Preview | 2017-07-26 | 2020-02-10 | Ongoing | Critical and important vulnerabilities in Windows Insider Preview | Up to $30,000 USD |
| Windows Defender Application Guard | 2017-07-26 | 2017-07-26 | Ongoing | Critical vulnerabilities in Windows Defender Application Guard | Up to $30,000 USD |
| Microsoft Edge (Chromium-based) | 2019-08-20 | 2020-01-15 | Ongoing | Critical and important vulnerabilities in Microsoft Edge (Chromium-based) Dev, Beta, and Stable channels | Up to $30,000 |
| Microsoft Edge (EdgeHTML) on Windows Insider Preview | 2016-08-04 | 2020-01-23 | 2020-03-15 | Critical remote code execution and design issues in Microsoft Edge (EdgeHTML) in Windows Insider Preview Slow ring | Up to $15,000 USD |
| Office Insider | 2017-03-15 | 2018-12-07 | Ongoing | Vulnerabilities on Office Insider | Up to $15,000 USD |
| ElectionGuard | 2019-10-18 | 2019-10-18 | Ongoing | Vulnerabilities in ElectionGuard | Up to $15,000 USD |
Defense & Grant Programs
| Program Name | Start Date | Last Updated | End Date | Eligible Entries | Bounty Range |
|---|---|---|---|---|---|
| Mitigation Bypass and Bounty for Defense | 2013-06-26 | 2018-10-02 | Ongoing | Novel exploitation techniques against protections built into the latest version of the Windows operating system. Additionally, defensive ideas that accompany a Mitigation Bypass submission. | Up to $100,000 USD (plus up to an additional $100,000) |
| Grant: Microsoft Identity | 2020-01-09 | 2020-01-09 | Ongoing | This project grant awards up to $75,000 USD for approved research proposals that improve the security of the Microsoft Identity solutions in new ways for both Consumers (Microsoft Account) and Enterprise (Azure Active Directory). | Up to $75,000 USD |
Additional resources for security researchers
We have pulled together additional resources to help you understand our bounty program offerings and even help you get started on the path or to higher payouts. We truly view this as a collaborative partnership with the security community. Your success in this program helps further our customer’s security and the ecosystem. Microsoft Bounty Programs
Frequently Asked Questions
Example of High Quality Reports
Microsoft Bounty Legal Safe Harbor
Windows Security Servicing Criteria
Directory of Azure Services
Microsoft Documentation for end-users, developers, and IT professionals
Microsoft Security Research & Defense Blog
HackerOne’s Hacker101 training
Bugcrowd University
Out of Bounty Scope
Some submission types are generally not eligible for Microsoft bounty awards. Please refer to our bounty programs for additional information on eligible submissions, vulnerability, or attack methods. Source
Would you like to read more Microsoft Bounty Programs-related articles? If so, we invite you to take a look at our other tech topics before you leave!
