Microsoft Launches Zero Day Quest: A $4 Million Hacking Event Focusing on AI and Cloud Security

Microsoft announces its own Black Hat-like hacking event with big rewards for AI security

Microsoft has announced an open to all research challenge to encourage researchers to discover high-impact vulnerabilities in its programs. Zero Day Quest will offer bug bounties for researchers who report flaws in Microsoft AI, Azure, Identity, Dynamics 365 and Power platform, and M365. The challenge will run until January 19, 2025, and will be subject to existing bounty program terms, the safe harbor policy, and additional terms and conditions. Microsoft hopes the event will bring together the security community and encourage collaboration between researchers and engineers to help keep all its users safe. Alongside an online event, the best 45 researchers (by bounty awarded amount) will be invited to an all-expenses paid Onsite Zero Day Quest event in Washington, with the 10 highest ranked researchers from the 2024 Azure, Dynamics, and Office leaderboards also invited. AI has been dominating the security conversation for the last year, and to reflect the growing concerns for AI security, Microsoft has doubled the AI bounty awards. Other bounty multipliers have also been included, such as the discovery of critical and important severity Remote Code Execution and Elevation of Privilege flaws. Microsoft has made security its number one priority, embarking on its secure future initiative to ensure 'security above all else' in order to protect users and businesses. "This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI," said Tom Gallagher, VP of Engineering for Microsoft Security Response Center. "Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers - bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe."

Hack Microsoft win $4 million with Zero Day Quest

Microsoft has launched the Zero Day Quest, a new hacking event with a focus on AI and cloud security, offering a total of $4 million in rewards for security researchers. Announced at the Ignite conference in Chicago, this initiative expands Microsoft's bug bounty programs to enhance AI security and foster collaboration between the cybersecurity community and Microsoft's engineering teams. Zero Day Quest starts with a research challenge open to all participants where they can submit vulnerabilities for specific scenarios. This challenge runs from November 19, 2024, to January 19, 2025, and allows successful submissions to earn multiplied bounty awards, potentially qualifying them for an invite-only onsite hacking event next year in Redmond, Washington. Additionally, Microsoft is incentivizing the reporting of AI vulnerabilities by offering double bounty rewards and facilitating direct access to its AI engineers and AI Red Team for participating researchers. Tom Gallagher, VP of Engineering at the Microsoft Security Response Center (MSRC), emphasized the significance of the event, stating, "This new hacking event will be the largest of its kind," highlighting that it is designed to unite top security minds to share knowledge and improve overall safety in cloud and AI sectors. This initiative aligns with Microsoft's Secure Future Initiative (SFI), a cybersecurity engineering commitment launched in November 2023, aimed at enhancing security measures across its products amid growing scrutiny over its security culture. The expansion of Microsoft's security initiatives comes in light of various cybersecurity challenges, including recent incidents where the company fell victim to attacks. Notably, in May 2023, Chinese hackers breached Microsoft's cloud-based Exchange email platform, leading to the theft of over 60,000 emails from U.S. State Department accounts. This incident, along with other widespread attacks exploiting vulnerabilities like ProxyShell, ProxyNotShell, and ProxyLogon, has prompted the company to reassess and improve its security infrastructure. As part of the Secure Future Initiative (SFI), Microsoft aims to share vital information about critical vulnerabilities through the Common Vulnerabilities and Exposures (CVE) program, even if customer action is not required. The initiative has reportedly involved the equivalent of 34,000 full-time engineers focusing on high-priority security challenges, underscoring the company's commitment to a collaborative approach to cybersecurity. Microsoft urges users to update Windows after zero-day vulnerabilities Offering enhanced support and resources for security researchers is a central theme in Zero Day Quest. The program encourages the security community to engage actively with Microsoft engineers while working collaboratively to identify and mitigate vulnerabilities in AI and cloud infrastructure. The doubling of bounty awards for AI-related vulnerabilities represents an acknowledgement of the increasing importance of securing AI technologies, where risks can have broader implications. David Weston, Microsoft's Vice President for Enterprise and OS Security, reiterated the company's strategic direction by stating that lessons learned from the Zero Day Quest will contribute to improving AI and cloud security, ensuring such developments prioritize safety and reliability.

Microsoft launches Zero Day Quest hacking event with $4 million in rewards

Microsoft announced today at its Ignite annual conference in Chicago, Illinois, that it's expanding its bug bounty programs with Zero Day Quest, a new hacking event focusing on cloud and AI products and platforms. The Zero Day Quest starts today with a research challenge where submissions of vulnerabilities for specific scenarios can earn multiplied bounty awards and may qualify for the 2025 onsite hacking event (invite only) in Redmond, Washington. This challenge is open to everyone and will run from November 19, 2024, through January 19, 2025. To further advance AI security, starting today, Microsoft says it will also offer double bounty awards for AI vulnerabilities reported by security researchers while also providing them with direct access to the Microsoft AI engineers and the company's AI Red Team. "This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI," said Tom Gallagher, VP of Engineering at the Microsoft Security Response Center (MSRC). "Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers- bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe." This is part of Microsoft's Secure Future Initiative (SFI), a cybersecurity engineering effort launched in November 2023 to boost cybersecurity protection across its products just in time to get ahead of a scathing report issued by the Cyber Safety Review Board of the U.S. Department of Homeland Security saying that the company's "security culture was inadequate and requires an overhaul." As BleepingComputer reported, Microsoft found itself on the receiving end of Chinese hackers' attacks in May, when the attackers stole over 60,000 emails from U.S. State Department accounts after breaching the company's cloud-based Exchange email platform. Security flaws affecting multiple other Microsoft products and platforms have also been used in widespread attacks. For instance, in recent years, many threat actors (including ransomware gangs) have abused ProxyShell, ProxyNotShell, and ProxyLogon vulnerabilities to target tens of thousands of Exchange servers exposed online. "As part of our Secure Future Initiative (SFI), we will transparently share critical vulnerabilities through the Common Vulnerabilities and Exposures (CVE) program, even if they require no customer action," Gallagher added. "Learnings from the Zero Day Quest will be shared across Microsoft to help improve cloud and AI security - by default, by design, and in operations." Today, Microsoft also shared more information on the new administrator protection security feature, available in preview on Windows 11 devices and designed to block access to critical system resources using extra Windows Hello authentication prompts. "Since launching SFI, we've focused the equivalent of 34,000 full-time engineers on the highest-priority security challenges," added David Weston, the company's Vice President for Enterprise and OS Security, today.

Microsoft announces its own Black Hat-like hacking event with big rewards for AI security

Microsoft is creating an in-person hacking event, Zero Day Quest, which it says will be the largest of its kind. The event will build upon Microsoft's existing bug bounty program, and incentivize research into high-impact security flaws that can affect the software powering cloud and AI workloads. "This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI," explains Tom Gallagher, VP of engineering at Microsoft's security response center. "Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers -- bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe."

Microsoft offers $4 million in AI and cloud bug bounties - how to qualify

The company's Zero Day Quest hacking event will reward researchers who find new security flaws. Hackers and security researchers who uncover vulnerabilities in certain Microsoft products could take home part of a $4 million bug bounty. On Tuesday, the company announced a new invitation-only hacking event called Zero Day Quest. Touted as the largest of its kind, the event will invite top-ranked researchers to discover and report high-impact security flaws. Microsoft also announced a research challenge that is open to anyone. Before diving in, first-time researchers and other curious parties should check out the MSRC Researcher Resource Center to learn how to submit security vulnerabilities to Microsoft. Zero Day Quest is scheduled to be held in 2025 at Microsoft's campus in Redmond, Washington. Microsoft's top 10 ranked researchers from each of the 2024 Annual Azure, Dynamics, and Office Leaderboards will be able to attend the hacking event. Another 45 researchers will be accepted based on the quality of their submissions to the research challenge. Also: Microsoft's new mini PC is designed for the office. Here's what it can do Those invited will get round-trip economy airfare, a five-night hotel stay, transportation between the airport and hotel, and the chance to take home a hefty bug bounty. With $4 million ready to dole out, Microsoft will award researchers who uncover flaws in areas including: Beyond the hefty bug bounties, Microsoft will also offer qualifying researchers a chance to work with its engineers and security experts. Also: How to upgrade an 'incompatible' Windows 10 PC to Windows 11: Two ways "To advance AI security, starting today we will offer double AI bounty awards," Tom Gallagher, VP of Engineering at Microsoft Security Response Center, said in the blog post. "We will also offer researchers direct access to the Microsoft AI engineers focused on developing secure AI solutions, and our AI Red Team. This unique opportunity will allow participants to enhance their skills with cutting-edge tools and techniques and work with Microsoft to raise the bar for AI security across the ecosystem." What will it take for you to qualify? The goal of the bounty program is to find important security flaws that directly impact the security of Microsoft users, so you'll need to identify a vulnerability not previously reported or known to Microsoft. The vulnerability must be considered Critical or Important in severity and must be reproducible. Finally, you'll have to provide clear steps in writing or video showing Microsoft engineers how to reproduce and fix the bug.

Microsoft Ignite 2024: all the news from Microsoft's IT pro event

Microsoft is creating an in-person hacking event, Zero Day Quest, which it says will be the largest of its kind. The event will build upon Microsoft's existing bug bounty program, and incentivize research into high-impact security flaws that can affect the software powering cloud and AI workloads. "This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI," explains Tom Gallagher, VP of engineering at Microsoft's security response center. "Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers -- bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe."