**Microsoft** has awarded $2.3 million to security researchers after receiving nearly 700 submissions during this year's Zero Day Quest hacking contest. ### High-Impact Vulnerabilities Discovered According to **Tom Gallagher**, Vice President of Engineering at **Microsoft** Security Response Center (**MSRC**), over 80 flaws found during the live event at **Microsoft's** Redmond campus were high-impact cloud and AI security vulnerabilities. "During the 2026 live hacking event, **Microsoft** partnered with the global security research community, representing more than 20 countries and a wide range of professional backgrounds, from high school students to college professors," Gallagher said. Researchers conducted all testing within authorized environments in accordance with **Microsoft's** Rules of Engagement, demonstrating potential impact without accessing customer data or other tenant systems. Within these constraints, researchers identified critical paths involving credential exposure, SSRF chains, and cross‑tenant access. ### Increased Prize Pool and Participation Last August, **Microsoft** announced that it would increase the prize pool at this year's Zero Day Quest hacking contest to $5 million in bounty awards, which the company described as the "largest hacking event in history." The 2025 Zero Day Quest also generated significant participation from the security community, following **Microsoft's** offer of $4 million in rewards for vulnerabilities in cloud and AI products and platforms. After the hacking competition concluded, **Microsoft** announced it had paid $1.6 million in rewards after receiving more than 600 vulnerability submissions. ### Secure Future Initiative (SFI) The Zero Day Quest contest is part of **Microsoft's** Secure Future Initiative (**SFI**), a cybersecurity engineering effort launched in November 2023, following a scathing report from the Cyber Safety Review Board of the U.S. Department of Homeland Security that found the company's security culture "inadequate" and requiring "an overhaul." "As part of our Secure Future Initiative (SFI), we will transparently share critical vulnerabilities through the CVE program, even if no customer action is required," Gallagher said in August. "Learnings from the Zero Day Quest will be shared across **Microsoft** to help improve Cloud and AI security in alignment with SFI's core principles: securing by default, by design, and in operations." Earlier that month, **Microsoft** announced it had paid a record $17 million to 344 security researchers across 59 countries through its bug bounty program between July 2024 and June 2025. In December, it also announced that security researchers would be paid for finding critical vulnerabilities in any of **Microsoft's** online services, even if a third party wrote the vulnerable code.