Microsoft pay $2.3 million to security researchers after its Zero Day Quest 2026 hacking contest wrapped up last month. The event pulled in nearly 700 vulnerability submissions and uncovered more than 80 serious flaws sitting inside Microsoft’s cloud and AI infrastructure.
That is not a small number. These were not surface-level bugs.
What Researchers Actually Found
The live hacking event ran at Microsoft’s Redmond campus and brought together researchers from more than 20 countries. The group included everyone from high school students to college professors, all hunting for weaknesses inside Microsoft’s systems under controlled conditions.
What they found was serious. Researchers uncovered three main categories of vulnerabilities:
Credential exposure refers to situations where login credentials or authentication tokens were accessible in ways they should not have been. An attacker exploiting this could impersonate legitimate users or services.
SSRF chains stands for Server-Side Request Forgery. In plain terms, this is when an attacker tricks a server into making requests on their behalf, potentially reaching internal systems that are supposed to be off-limits.
Cross-tenant access issues are particularly alarming in cloud environments. Microsoft’s cloud hosts thousands of businesses on shared infrastructure. A cross-tenant flaw means data or systems belonging to one customer could potentially be reached by another. Microsoft confirmed that several findings showed how these weaknesses, if combined, could allow an attacker to jump between isolated customer environments.
None of the researchers actually accessed real customer data. The entire event operated under strict rules, and testing only happened inside authorized environments.
Why Microsoft Is Running These Contests
This did not happen in a vacuum. Back in 2023, the U.S. Department of Homeland Security’s Cyber Safety Review Board released a report that called Microsoft’s security culture “inadequate.” The report said it needed a full overhaul. That was a hard hit for one of the world’s largest technology companies.
Microsoft responded by launching the Secure Future Initiative (SFI), a company-wide engineering effort focused on rebuilding its security practices from the ground up. Zero Day Quest is a direct product of that initiative.
The numbers show the program growing year over year. At Zero Day Quest 2025, Microsoft paid out $1.6 million across 600 submissions. This year, that jumped to $2.3 million across nearly 700 submissions, out of a total prize pool of $5 million.
Microsoft has also expanded what counts as eligible for a bounty. Researchers can now get paid for finding critical flaws in third-party code that runs inside Microsoft’s services, not just vulnerabilities in Microsoft-written software. That is a meaningful shift in how the company thinks about its own attack surface.
The Bigger Picture for Cloud Security
The findings from Zero Day Quest 2026 point to something the cloud industry has been wrestling with for years. The more services get layered on top of each other, the more ways there are for small weaknesses to chain together into something serious.
Microsoft acknowledged this directly, noting that many of this year’s findings showed how identity control gaps or weak tenant isolation could become dangerous when combined with other vulnerabilities. Fixing one issue in isolation is not enough. The whole chain matters.
Tom Gallagher, Vice President of Engineering at Microsoft’s Security Response Center, said the learnings from this contest will be shared across Microsoft’s engineering teams. Validated vulnerabilities will also be disclosed publicly through the CVE program, which is the standard industry registry for known security flaws.
For context on the scale of Microsoft’s broader security investment, the company paid a record $17 million in bug bounties between July 2024 and June 2025. Since its bug bounty program launched in 2018, total payouts have passed $92 million.
Zero Day Quest is planned to continue as an annual event. The next research challenge is expected to open later this year.
