Microsoft has expanded its vulnerability rewards program for Microsoft Copilot, increasing payouts for medium-severity security flaws. As part of its Secure Future Initiative (SFI), the company has broadened the scope of its bug bounty program to include Copilot for Telegram, WhatsApp, as well as the platforms copilot.microsoft[.]com and copilot[.]ai.
Security researchers can now earn up to $5,000 for discovering medium-risk vulnerabilities that could impact the security and reliability of Copilot. Microsoft stated that this enhancement will provide experts with greater opportunities to safeguard the AI ecosystem and accelerate the mitigation of potential threats.
The Microsoft Copilot bug bounty program already covers a wide range of AI-powered services, including Copilot Pro in Microsoft Edge (Windows), mobile applications for iOS and Android, Windows, and Bing’s generative search. Bounties range from $250 for minor bugs, such as XSS and CSRF, to $30,000 for critical vulnerabilities, such as AI output manipulation.
Simultaneously, Microsoft has also expanded another program—the Microsoft 365 Bounty—by incorporating new Viva products, including Feature Access Control, Glint, Learning, and Pulse. The company is offering rewards of up to $27,000 for identifying critical and high-impact security vulnerabilities in these services.
In recent years, Microsoft has actively engaged security researchers in identifying vulnerabilities within its products. During last year’s Ignite conference, the company introduced the Zero Day Quest initiative, featuring a $4 million prize pool aimed at uncovering security flaws in cloud and AI-based solutions.
These measures come amid criticism from the U.S. Cyber Safety Review Board, which previously urged Microsoft to reevaluate its approach to data protection. A report from the board highlighted significant deficiencies in the company’s security framework, and the Secure Future Initiative has been positioned as a strategic response to address these concerns.
