Microsoft strongly believes close partnerships with researchers make customers more secure. Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process. Each year we partner together to better protect billions of customers worldwide.
 
The Microsoft Bug Bounty Program is designed to supplement and encourage research in certain technologies to better protect our customers and the broader ecosystem. Through targeted and ongoing bounty programs, we reward researchers for submitting their findings to one of our eligible bounty programs and for partnering with us through Coordinated Vulnerability Disclosure. If you are a security researcher that has found a vulnerability in a Microsoft product, service, or device we want to hear from you. If it is within scope of a bounty program you can receive bounty award according to the program descriptions. Even if it is not covered under an existing bounty program, we will publicly acknowledge your contributions when we fix the vulnerability. Both categories of submission are counted in our annual Top 100 Researcher leaderboard.
 
Click here to submit a security vulnerability
 
The Microsoft Bug Bounty Programs are subject to the legal terms and conditions outlined here.
 
Let the hunt begin!
Our bug bounty programs are divided by technology area though they generally have the same high level requirements:
  • We want to award you for your research. Submissions that contain well written descriptions, impacts, and come with steps to reproduce your proof of concept code will be eligible for higher awards rather than stack dumps or submissions without clear impact.
  • We are looking for new and novel vulnerabilities. Your contributions help us address vulnerabilities we may have missed in the development process. Like you, we will continue investigation and reviewing our code. If you are the first external researcher to identify a vulnerability we already know about and are working to fix you may still be eligible for a bounty award.
  • Microsoft takes the privacy of our customer’s data seriously. Some security research may occur on production services that our customers are using as well. We expect researchers to take care and avoid privacy violations, destruction of data, and interruption or degradation of our service during your research. If you discover customer data while researching stop immediately and contact us.
  • Be conscientious of service availability while doing research. The services in our cloud and datacenter are operating in a production environment where customers are actively using and depending on them. Research that impedes availability, including but not limited to denial of service or heavy resource utilization, is prohibited. We ask you respect the production nature of the environment and do your best to avoid those impacts.
  • If it can be found by a tool, it probably should be. Scanners and automation tools are common trade practice in the security community. They often produce many results for further investigation and can yield numerous false positives. As such our bounty programs generally place out of scope reports from automated tools or scans.
  • Social engineering and physical security attacks are off limits. Submissions that require manipulation of data, network access, or physical attack against Microsoft offices or data centers and/or social engineering of our customer support service desk, employees, or contractors will not be accepted.
  • Follow coordinated vulnerability disclosure. Our customer’s security is important to us. We ask that if you find a vulnerability in our products, services, or devices that you report it to us privately and work with us through availability of the solution for that vulnerability. We will endeavor to work on each report diligently and to address it in a reasonable time period. In recognition of this partnership we offer bounty awards and will acknowledge your contributions to customer security when the fix is available.
2018-7-17
Ongoing
Vulnerability reports on Identity services, including Microsoft Account, Azure Active Directory, or select OpenID standards.
Up to $100,000 USD
2017-07-26
Ongoing
Critical and important vulnerabilities in Windows Insider Preview
Up to $50,000 USD
2017-07-26
Ongoing
Critical vulnerabilities in Windows Defender Application Guard
Up to $30,000 USD
2017-05 -31
Ongoing
Critical remote code execution, information disclosure and denial of services vulnerabilities in Hyper-V
Up to $250,000 USD
2016-08-04
 Ongoing

Critical remote code execution and design issues in Microsoft Edge (EdgeHTML) in Windows Insider Preview Slow ring
Up to $15,000 USD
2013-06-26
Ongoing
Novel exploitation techniques against protections built into the latest version of the Windows operating system. Additionally, defensive ideas that accompany a Mitigation Bypass submission.
Up to $100,000 USD (plus up to an additional $100,000)
2017-03-15
 Ongoing
Vulnerabilities on Office Insider
Up to $15,000 USD
2016-09-01
Ongoing
Vulnerability reports on .NET Core and ASP.NET Core RTM and future builds (see link for program details)
Up to $15,000 USD
2014-09-23
 Ongoing
Vulnerability reports on applicable Microsoft cloud services
Up to $20,000 USD

Microsoft Azure DevOps Services Bounty
2019-01-17
 Ongoing
Vulnerability reports on applicable Microsoft Azure DevOps Services
Up to $20,000 USD

Additional resources for security researchers
We have pulled together additional resources to help you understand our bounty program offerings and even help you get started on the path or to higher payouts. We truly view this as a collaborative partnership with the security community. Your success in this program helps further our customer’s security and the ecosystem.