Microsoft Security Response Center Blog

Exciting updates to the Copilot (AI) Bounty Program: Enhancing security and incentivizing innovation

Friday, February 07, 2025

At Microsoft, we are committed to fostering a secure and innovative environment for our customers and users. As part of this commitment, we are thrilled to announce significant updates to our Copilot (AI) Bounty Program. These changes are designed to enhance the program’s effectiveness, incentivize broader participation, and ensure that our Copilot consumer products remain robust, safe, and secure.

• Bug Bounty
• Bug Bounty Programs
• Community-based Defense
• Security Researcher
• Copilot
• Responsible AI

Scaling Dynamic Application Security Testing (DAST)

Tuesday, January 21, 2025

Introduction Microsoft engineering teams use the Security Development Lifecycle to ensure our products are built in alignment with Microsoft’s Secure Future Initiative security principles: Secure by Design, Secure by Default, and Secure Operations. A key component of the Security Development Lifecycle is security testing, which aims to discover and mitigate security vulnerabilities before adversaries can exploit them.

Congratulations to the Top MSRC 2024 Q4 Security Researchers!

Wednesday, January 15, 2025

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2024 Q4 Security Researcher Leaderboard are Suresh, VictorV, wkai! Check out the full list of researchers recognized this quarter here.

• Bug Bounty
• Bug Bounty Programs
• Bounty
• Community-based Defense
• Security Research
• Security Researcher

Mitigating NTLM Relay Attacks by Default

Monday, December 09, 2024

Introduction In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.

Announcing the Adaptive Prompt Injection Challenge (LLMail-Inject)

Friday, December 06, 2024

We are excited to introduce LLMail-Inject, a new challenge focused on evaluating state-of-the-art prompt injection defenses in a realistic simulated LLM-integrated email client. In this challenge, participants assume the role of an attacker who sends an email to a user. The user then queries the LLMail service with a question (e.

Securing AI and Cloud with the Zero Day Quest

Tuesday, November 19, 2024

Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that’s why we also partner with the global security community through our bug bounty programs to proactively identify and mitigate potential issues before our customers are impacted.

• Bounty
• Bug Bounty
• Bug Bounty Programs
• BlueHat
• Artificial intelligence
• Training
• Zero Day Quest
• Secure Future Initiative
• Cloud

Toward greater transparency: Publishing machine-readable CSAF files

Tuesday, November 12, 2024

Welcome to the third installment in our series on transparency at the Microsoft Security Response Center (MSRC). In this ongoing discussion, we talk about our commitment to providing comprehensive vulnerability information to our customers. At MSRC, our mission is to protect our customers, communities, and Microsoft, from current and emerging threats to security and privacy.

• Security Update Guide

Congratulations to the Top MSRC 2024 Q3 Security Researchers!

Wednesday, October 23, 2024

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2024 Q3 Security Researcher Leaderboard are wkai, VictorV, and Zhihua Wen! Check out the full list of researchers recognized this quarter here.

• Bug Bounty
• Bug Bounty Programs
• Bounty
• Community-based Defense
• Security Research
• Security Researcher

Announcing the BlueHat 2024 Sessions

Tuesday, October 22, 2024

34 sessions from 54 presenters representing 20 organizations! We are thrilled to reveal the lineup of speakers and presentations for the 23rd BlueHat Security Conference, in Redmond WA from Oct 29-30. This year’s conference continues the BlueHat ethos and Secure Future Initiative mission of “Security Above All Else”. Security researchers and responders from inside and outside of Microsoft will gather on the Microsoft campus in Redmond, WA to share, debate, and challenge each other, with the shared goal of creating a safer and more secure world for all.

• BlueHat

Announcing BlueHat 2024: Call for Papers now open

Wednesday, August 07, 2024

The 23rd edition of Microsoft’s BlueHat security conference will be hosted by the Microsoft Security Response Center (MSRC) at the Redmond, WA corporate campus, October 29 and 30, 2024. BlueHat brings together security researchers and responders from both inside and outside of Microsoft, who come together as peers to exchange ideas, experiences, and best practices, all in the interest of creating a safer and more secure world for everyone.

• BlueHat
• Security Research