Microsoft has launched the Zero Day Quest, a new hacking event with a focus on AI and cloud security, offering a total of $4 million in rewards for security researchers. Announced at the Ignite conference in Chicago, this initiative expands Microsoft’s bug bounty programs to enhance AI security and foster collaboration between the cybersecurity community and Microsoft’s engineering teams.
Microsoft’s Zero Day Quest hacking challenge offers $4 million in rewardsZero Day Quest starts with a research challenge open to all participants where they can submit vulnerabilities for specific scenarios. This challenge runs from November 19, 2024, to January 19, 2025, and allows successful submissions to earn multiplied bounty awards, potentially qualifying them for an invite-only onsite hacking event next year in Redmond, Washington. Additionally, Microsoft is incentivizing the reporting of AI vulnerabilities by offering double bounty rewards and facilitating direct access to its AI engineers and AI Red Team for participating researchers.
Tom Gallagher, VP of Engineering at the Microsoft Security Response Center (MSRC), emphasized the significance of the event, stating, “This new hacking event will be the largest of its kind,” highlighting that it is designed to unite top security minds to share knowledge and improve overall safety in cloud and AI sectors. This initiative aligns with Microsoft’s Secure Future Initiative (SFI), a cybersecurity engineering commitment launched in November 2023, aimed at enhancing security measures across its products amid growing scrutiny over its security culture.
Zero Day Quest starts with a research challenge open to all participants where they can submit vulnerabilities for specific scenarios (Image credit)The expansion of Microsoft’s security initiatives comes in light of various cybersecurity challenges, including recent incidents where the company fell victim to attacks. Notably, in May 2023, Chinese hackers breached Microsoft’s cloud-based Exchange email platform, leading to the theft of over 60,000 emails from U.S. State Department accounts. This incident, along with other widespread attacks exploiting vulnerabilities like ProxyShell, ProxyNotShell, and ProxyLogon, has prompted the company to reassess and improve its security infrastructure.
As part of the Secure Future Initiative (SFI), Microsoft aims to share vital information about critical vulnerabilities through the Common Vulnerabilities and Exposures (CVE) program, even if customer action is not required. The initiative has reportedly involved the equivalent of 34,000 full-time engineers focusing on high-priority security challenges, underscoring the company’s commitment to a collaborative approach to cybersecurity.
Microsoft urges users to update Windows after zero-day vulnerabilities
Increased support for researchersOffering enhanced support and resources for security researchers is a central theme in Zero Day Quest. The program encourages the security community to engage actively with Microsoft engineers while working collaboratively to identify and mitigate vulnerabilities in AI and cloud infrastructure. The doubling of bounty awards for AI-related vulnerabilities represents an acknowledgement of the increasing importance of securing AI technologies, where risks can have broader implications.
David Weston, Microsoft’s Vice President for Enterprise and OS Security, reiterated the company’s strategic direction by stating that lessons learned from the Zero Day Quest will contribute to improving AI and cloud security, ensuring such developments prioritize safety and reliability.
Featured image credit: Salah Darwish/Unsplash