Microsoft pays record $17 million to security researchers in global bug bounty program

Microsoft, in its annual bug bounty review, lauded researchers for preventing potential exploits and said that encouraging focus on high-impact domains such as AI allows the company to anticipate and address emerging cyber threats effectively

Microsoft has paid an unprecedented $17 million in rewards to security researchers worldwide over the past year, marking the largest annual payout in the history of its bug bounty initiatives.

From July 2024 to June 2025, 344 researchers from 59 countries submitted 1,469 eligible vulnerability reports. The most significant individual payout reached $200,000, with the findings helping address more than 1,000 potential security flaws across a broad range of Microsoft products and services, including Azure, Microsoft 365, Windows, Edge, Dynamics 365, Power Platform, and Xbox.

In its annual bounty program review, Microsoft credited the contributions of independent researchers for helping the company identify and fix vulnerabilities before they could be exploited. “By encouraging researchers to focus on high-impact areas, including the fast-moving field of AI, we can stay ahead of evolving security threats,” the company stated.

Program growth and new categories

Over the past year, Microsoft expanded several bounty programs to cover emerging technologies and threat scenarios. The Copilot AI program now accepts traditional online service vulnerabilities, while the Dynamics 365 and Power Platform programs have introduced an AI-focused category. The Windows bounty has added rewards for remote denial-of-service exploits and local sandbox escape techniques.

The Identity program has broadened to include more APIs and domains, and Defender’s bounty scope now covers Microsoft Defender for Identity, Defender for Office, and Defender for Cloud Applications.

Reward amounts have also increased, with moderate-severity Microsoft Copilot AI vulnerabilities now eligible for higher payouts. The company raised maximum awards to $40,000 for certain .NET and ASP.NET Core flaws and boosted rewards for AI-related vulnerabilities in Power Platform and Dynamics 365.

Record contest prize pool

In a further push to engage the security research community, Microsoft announced it will offer up to $5 million in prizes at its upcoming Zero Day Quest hacking contest, billed as the largest event of its kind.

The company emphasized that coordinated vulnerability disclosure remains central to building user trust, ensuring that millions who rely on Microsoft products benefit from a stronger, more secure ecosystem.