Headline
Exciting updates to the Copilot (AI) Bounty Program: Enhancing security and incentivizing innovation
At Microsoft, we are committed to fostering a secure and innovative environment for our customers and users. As part of this commitment, we are thrilled to announce significant updates to our Copilot (AI) Bounty Program. These changes are designed to enhance the program’s effectiveness, incentivize broader participation, and ensure that our Copilot consumer products remain robust, safe, and secure.
At Microsoft, we are committed to fostering a secure and innovative environment for our customers and users. As part of this commitment, we are thrilled to announce significant updates to our Copilot (AI) Bounty Program. These changes are designed to enhance the program’s effectiveness, incentivize broader participation, and ensure that our Copilot consumer products remain robust, safe, and secure.
Building on our commitment to support AI researchers, we are also introducing new initiatives aimed at providing comprehensive training and resources to support aspiring AI professionals as part of Zero Day Quest. These initiatives will include workshops, access to Microsoft AI engineers, and cutting-edge research and development tools. By investing in the growth and education of AI researchers, we aim to cultivate a community of skilled professionals who can contribute to the advancement of AI technology and uphold the highest standards of security and innovation.
Integrating the Microsoft Vulnerability Classification for Online Services
One of the most impactful changes to our Copilot Bounty Program is the integration of the Microsoft Vulnerability Severity Classification for Online Services (Online Services bug bar). This integration builds off our existing alignment with the Microsoft Vulnerability Severity Classification for AI Systems (AI bug bar) and establishes a clear and consistent framework for evaluating the severity of vulnerabilities discovered in our Copilot consumer products. By aligning with the Online Services Bug Bar, we ensure that all reported vulnerabilities are assessed with the same rigor and standards applied across Microsoft’s online services. This not only streamlines the evaluation process but also enhances the transparency and fairness of our bounty rewards.
For more details on how the severity levels are classified, as defined by the Microsoft Security Response Center (MSRC) advisory rating and the Microsoft Exploitability Index, refer to the individual bug bars: Online Services bug bar and AI bug bar.
Incentivizing moderate severity cases
We recognize that even moderate vulnerabilities can have significant implications for the security and reliability of our Copilot consumer products. To address this, we are introducing new incentives for moderate severity Copilot cases. Researchers who identify and report moderate severity vulnerabilities will now be eligible for bounty rewards up to $5,000. Expanding our bounty program to include Copilot reflects our ongoing commitment to security across Microsoft products and services, and we encourage researchers to help us identify and mitigate vulnerabilities.
Expanding in-scope targets
To further enhance the security of our Copilot consumer products, we are expanding the scope of our Copilot Bounty Program. The updated program now includes a broader range of Copilot consumer products and services, ensuring that more areas are covered and protected. This expansion provides researchers with more opportunities to contribute to the security of our Copilot ecosystem and helps us identify and mitigate potential vulnerabilities across a wider array of platforms. The in-scope targets now include:
Copilot for Telegram
Copilot for WhatsApp
copilot.microsoft.com and copilot.ai
Join us in securing the future of Copilot
We believe that collaboration with the security research community is essential to maintaining the integrity and security of our Copilot consumer products. The updates to our Copilot (AI) Bounty Program reflect our ongoing commitment to this collaboration and our dedication to fostering a secure and innovative environment for all.
We invite all security researchers, developers, and enthusiasts to join us in this mission. By participating in the Copilot (AI) Bounty Program, you can help us identify and address vulnerabilities, contribute to the security of our Copilot consumer products, and earn awards for your valuable contributions.
Together, we can ensure that our Copilot products remain secure, safe, and innovative. Thank you for your continued support and dedication to making the digital world a safer place.
If you have any questions about this program or any other security research incentive program, please email us at [email protected].
Happy Hunting!
Lynn Miyashita and Madeline Eckert
Microsoft Bounty Team