Microsoft Is Asking To Be Hacked — And Will Pay You To Do It

Microsoft recently announced a new addition to its bug bounty program as well as an invitation-only hacking contest to encourage white hat hackers to find previously undiscovered vulnerabilities in its AI and cloud products, Microsoft AI, Microsoft Azure, Microsoft Identity, M365, Microsoft Dynamics 365 and Power Platform.

Black hat hackers is the term for cybercriminals who find previously undiscovered vulnerabilities in software, often called “zero day defects” and exploit these vulnerabilities for criminal purposes, while white hat hackers is the term used to describe hackers who are able to discover the same vulnerabilities, but instead of criminally exploiting these flaws, provide their findings to the companies and government agencies who develop and use these software programs so that the software can be patched before the flaws can be exploited by black hat hackers.

As AI and Machine Learning continue to become more advanced there is great concern as to how these tools are and will be used by black hat hackers to exploit vulnerabilities in the software programs that control so much of our lives including sensitive infrastructure.

Bug bounty programs offer rewards to hackers who can identify vulnerabilities in the software of companies and even government agencies. The first bug bounty actually goes all the way back to 1983 when the company Hunter & Ready offered a free Volkswagen Beetle, also known as a “bug” to anyone who could find flaws in its operating system, however, the first real bug bounty program came years later in 1995 when Netscape, an early browser offered a reward to anyone who could find security flaws in its browser.

In 2012 HackerOne was established providing a central location for companies and government agencies to offer bug bounty programs. Among its early clients were Yahoo, Google, Facebook, Uber and Microsoft. In 2016 the federal government used HackerOne to set up the “Hack the Pentagon” Program which was the first successful bug bounty program offered by the federal government. During the initial Pilot Program of the “Hack the Pentagon” bug bounty program 138 vulnerabilities were discovered by 1,400 white hat hackers. This led to later “Hack the Army” and “Hack the Airforce “ programs.

By 2022, white hat hackers had earned more than $100 million through HackerOne bug bounty programs.

In 2016 Apple started its Apple Security Bounty program which provided payments of up to $1 million for discovering critical security flaws.

Now through January 19^th Microsoft is offering its latest bug bounty program which it calls Zero Day Quest which encompasses two separate parts. In one part Microsoft invites white hat hackers and security researchers to discover and report what it refers to as high impact vulnerabilities in its AI and cloud products to the company.

In order to qualify for the bug bounty the vulnerability must be one that has not been previously reported to or known by Microsoft and must be deemed to be critical or of important severity. Further, in order to qualify for the bug bounty the white hat hacker must not only provide information about the vulnerability, but also provide information to Microsoft as to how it can fix the issues.

The bounties range from $4,000 to $30,000 depending on the severity of the flaw discovered with additional bonuses of even higher amounts for finding particularly critical or important vulnerabilities.

The second part of the Zero Day Quest is described by Microsoft as its “inaugural security research event and celebration” to be held at the Microsoft campus in Redmond, Washington to which Microsoft is inviting its top ten white hat hackers along with 45 of the top white hat hackers from the first part of the Zero Day Quest. Invitees will have their airfare, hotel and transportation costs paid for by Microsoft.

So put on your white hat and start hacking.