Article Details

Microsoft raises rewards for Copilot AI bug bounty program. ​Microsoft announced over the weekend that it has expanded its Microsoft Copilot (AI) bug bounty program and increased payouts for moderate severity vulnerabilities. To further secure its Copilot consumer products against attacks, Redmond added a broader range of Copilot consumer products and services to the scope of the program, including Copilot for Telegram, Copilot for WhatsApp, copilot.microsoft.com, and copilot.ai. The company is now also offering incentives of up to $5,000 for reporting moderate vulnerabilities, which can also significantly affect the security and reliability of its Copilot products. "We are introducing new incentives for moderate severity Copilot cases. Researchers who identify and report moderate severity vulnerabilities will now be eligible for bounty rewards up to $5,000," Microsoft said. "This expansion provides researchers with more opportunities to contribute to the security of our Copilot ecosystem and helps us identify and mitigate potential vulnerabilities across a wider array of platforms." The company's Microsoft Copilot bounty program also rewards qualified submissions for vulnerabilities found in Copilot (Pro) AI experiences in Microsoft Edge (Windows), Microsoft Copilot Application (iOS and Android), Windows OS, and Bing generative search hosted on bing.com in Browser. Bounty awards range from $250 for low-severity Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Web Security Misconfiguration, Cross Origin Access, and Improper Input Validation bugs up to $30,000 for critical flaws allowing inference manipulation. The Microsoft 365 Bounty Program was also expanded last month to include new Viva products for Critical and Important cases, including Feature Access Control, Glint, Learning, and Pulse, with awards up to $27,000. During last year's Ignite annual conference in Chicago, Microsoft also expanded its bug bounty programs by launching the Zero Day Quest, a hacking event with $4 million in rewards focused on cloud and AI products and platforms. The efforts to boost cybersecurity protection across all products are part of the Secure Future Initiative (SFI), a company-wide cybersecurity engineering effort launched in November 2023 to get ahead of a scathing report issued by the Cyber Safety Review Board of the U.S. Department of Homeland Security saying that Microsoft's "security culture was inadequate and requires an overhaul."