Microsoft has launched a major new initiative called Zero Day Quest, aimed at tackling vulnerabilities in cloud and AI products. This announcement was made during the company's Ignite conference in Chicago, Illinois. The event expands on Microsoft’s existing bug bounty programs, providing a platform for researchers to identify security flaws and be rewarded for their efforts.
The Zero Day Quest kicks off with a research challenge, where participants can earn multiplied bounty awards for submitting vulnerabilities based on specific scenarios. These submissions could also qualify the researchers for an exclusive onsite hacking event in Redmond, Washington, scheduled for 2025. This challenge is open to everyone and will run from November 19, 2024, until January 19, 2025.
Microsoft is also increasing its focus on AI security. The company will offer double bounty rewards for AI-related vulnerabilities reported by security researchers. These researchers will gain direct access to Microsoft's AI engineers and the company’s AI Red Team to further enhance the security of AI products.
"This new hacking event will be the largest of its kind, with an additional $4 million in potential rewards for research into high-impact areas, specifically cloud and AI," said Tom Gallagher, Vice President of Engineering at the Microsoft Security Response Center (MSRC). He further added, "Zero Day Quest will provide new opportunities for the security community to work alongside Microsoft engineers and security researchers, creating a collaborative environment to improve security."
Zero Day Quest is part of Microsoft's Secure Future Initiative (SFI), a cybersecurity effort launched in November 2023. The initiative aims to strengthen security across Microsoft's products, following a critical report from the U.S. Department of Homeland Security’s Cyber Safety Review Board, which highlighted weaknesses in the company’s security culture.
Microsoft has faced significant security challenges in the past, including a breach in May by Chinese hackers who stole over 60,000 emails from U.S. State Department accounts. Additionally, various Microsoft products have been targeted by attackers exploiting vulnerabilities like ProxyShell and ProxyLogon, affecting tens of thousands of Exchange servers worldwide.
"As part of our Secure Future Initiative, we will transparently share critical vulnerabilities through the Common Vulnerabilities and Exposures (CVE) program," Gallagher said. "Even those that do not require customer action will be disclosed to help improve security."
In addition to the Zero Day Quest, Microsoft also introduced a new administrator protection feature, available in preview on Windows 11 devices. This feature is designed to block access to critical system resources by adding extra Windows Hello authentication prompts for greater security.
"Since the launch of SFI, we have focused the equivalent of 34,000 full-time engineers on addressing the highest-priority security challenges," said David Weston, Vice President of Enterprise and OS Security at Microsoft.