PROGRAM DESCRIPTION 

The Microsoft AI bounty program invites security researchers from across the globe to discover vulnerabilities in the new, innovative, Microsoft Copilot. Qualified submissions are eligible for bounty rewards from $2,000 to $15,000 USD.

This bounty program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions and our bounty Safe Harbor policy.

IN-SCOPE SERVICES AND PRODUCTS

Vulnerabilities submitted in the following Product(s) are eligible under this bounty program:

  • Copilot AI experiences hosted on copilot.microsoft.com in Browser (all major vendors are supported, including Copilot Pro and Copilot with Comercial Data Protection)
  • Copilot AI experiences hosted on bing.com in Browser (all major vendors are supported, including Copilot Pro and Copilot with Comercial Data Protection)
  • Copilot AI experiences integrated in Microsoft Edge (Windows), including Copilot Pro and Copilot with Comercial Data Protection
  • Copilot AI experiences in the Microsoft Copilot Application (iOS and Android), including Copilot Pro
  • Copilot AI experiences in the Microsoft Start Application (iOS and Android
  • Copilot AI experiences in the Skype Mobile Application (iOS and Android

Related Bounty Programs

Submissions identifying vulnerabilities in Microsoft Copilot related online services will be considered under the M365 Bounty Program. All submissions are reviewed for bounty eligibility, so don’t worry if you aren’t sure where your submission fits. We will route your report to the appropriate program. 

ELIGIBLE SUBMISSIONS

The goal of the Microsoft AI bounty program is to uncover significant vulnerabilities in the new, innovative, Microsoft Copilot that have a direct and demonstrable impact on the security of our customers. 

Vulnerability submissions must meet the following criteria to be eligible for bounty awards:  

  • Identify a vulnerability in Microsoft Copilot that was not previously reported to, or otherwise known by, Microsoft. 
  • Such vulnerability must be Critical or Important severity as defined by the Microsoft Vulnerability Severity Classification for AI Systems and reproducible on the latest, fully patched version of the product or service.
  • Include clear, concise, and reproducible steps, either in writing or in video format. 
    • Provide our engineers the information necessary to quickly reproduce, understand, and fix the issue.
    • Find examples here.

We request researchers include the following information to help us quickly assess their submission: 

  • Submit through the MSRC Researcher Portal.
  • Select “Bing” in the “Products” section of the vulnerability submission.
  • Include the conversation ID in the “Details to reproduce” section of your vulnerability submission.
    • To retrieve the conversation ID, enter “/id” as a chat command.
  • Describe the attack vector for the vulnerability.

Microsoft may accept or reject any submission at our sole discretion that we determine does not meet the above criteria.  

GETTING STARTED  

Please create a test account and test tenants for security testing and probing. Please follow the Research Rules of Engagement to avoid harm to customer data, privacy, and service availability. If in doubt, please contact bounty@microsoft.com

  • Access Microsoft Copilot here.

BOUNTY AWARDS    

Bounty awards range from $2,000 up to $15,000.  Higher awards are possible, at Microsoft’s sole discretion, based on the severity and impact of the vulnerability and the quality of the submission. Eligible submissions will be awarded the single highest qualifying award. 

Researchers who provide submissions that do not qualify for bounty awards may still be eligible for public acknowledgement if their submission leads to a vulnerability fix, and points in our Researcher Recognition Program to earn swag and a place on the Microsoft Most Valuable Researcher list.

General Awards

 

Vulnerability Type

Report Quality

Severity

Critical

Important

Moderate

Low

Inference Manipulation

High

Medium

Low

$15,000

$10,000

$6,000

$6,000

$3,000

$2,000

$0

$0

Model Manipulation

High

Medium

Low

$15,000

$10,000

$6,000

$6,000

$3,000

$2,000

$0

$0

Inferential Information Disclosure

High

Medium

Low

$15,000

$10,000

$6,000

$6,000

$3,000

$2,000

$0

$0

IN SCOPE VULNERABILITIES  

In addition to the issues defined by the Microsoft Vulnerability Severity Classification for AI Systems, demonstration of individual and/or chains of vulnerabilities that lead to concrete outcomes within these attack domains are in scope for this program:

  • Influencing and changing Copilot's chat behavior across user boundaries, i.e. change the AI in ways that impact all other users.
  • Modifying Copilot's chat behavior by adjusting client and/or server visible configuration, such as setting debug flags, changing feature flags, etc.
  • Breaking Copilot's cross-conversation memory protections and history deletion.
  • Revealing Copilot's internal workings and prompts, decision making processes and confidential information.
  • Bypassing Copilot's chat mode session limits and/or restrictions/rules. 

RESEARCH RULES OF ENGAGEMENT 

The Microsoft AI bounty program’s scope is limited to technical vulnerabilities in Microsoft Copilot in the identified products and services. If you discover customer data while conducting your research, or are unclear if it is safe to proceed, please stop and contact us at bounty@microsoft.com. The following are not permitted: 

  • Gaining access to any data that is not wholly your own.  
    • For example, you are allowed and encouraged to create a small number of test accounts and/or trial tenants for the purpose of demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data that is not your own.  
  • Moving beyond “proof of concept” repro steps for server-side execution issues. 
    • For example, proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not.  
  • Any kind of Denial of Service testing. 
  • Performing automated testing of services that generates significant amounts of traffic.  
  • Attempting phishing or other social engineering attacks against others, including our employees. The scope of this program is limited to technical vulnerabilities in Microsoft Copilot.  
  • Using our services in a way that violates the service agreement & terms for that service.  

Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious.  

OUT OF SCOPE SUBMISSIONS AND VULNERABILITIES 

Microsoft is happy to receive and review every submission on a case-by-case basis, but some submission and vulnerability types may not qualify for bounty reward. Here are some of the common low-severity or out of scope issues that typically do not earn bounty rewards:  

  • Publicly-disclosed vulnerabilities which have already been reported to Microsoft or are already known to the wider security community.
  • Vulnerabilities in Microsoft Copilot related online services may be evaluated under the M365 bounty program.
  • Vulnerability patterns or categories for which Microsoft is actively investigating broad mitigations.
  • AI Command/Prompt Injection attacks that are used to make decisions that only affect the attacker or generate content that is shown only to the attacker.
  • Model Hallucination attacks where the model pretends to run arbitrary code provided to it or supposedly leak the system/meta prompt.
  • Chat responses that appear to be inaccurate, factually incorrect, or offensive.
    • Chat responses that appear to be offensive can be reported here.
  • Out of scope vulnerability types, including:
    • Vulnerabilities requiring physical access to hardware components
    • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
    • Cookie replay vulnerabilities 
    • Sub-Domain Takeovers 
    • Denial of Service issues
    • Low impact CSRF bugs (such as logoff) 
    • Server-side information disclosure such as IPs, server names and most stack traces. Debug pages and reverse minified JS are also out of scope
  • Vulnerabilities that are addressed via product documentation updates, without change to product code or function.
  • Vulnerabilities based on user configuration or action, for example: 
    • Vulnerabilities requiring extensive or unlikely user actions
    • Vulnerabilities in user-created content or applications 
  • Vulnerabilities based on third parties, for example: 
    • Vulnerabilities in third party software provided by Azure such as gallery images and ISV applications.  
    • Vulnerabilities in platform technologies that are not unique to the online services in question (for example, Apache or IIS vulnerabilities) 
  • Vulnerabilities in a web application that only affect unsupported browsers and plugins.
  • Training, documentation, samples, and community forum sites related to Microsoft Copilot products and services are not in scope for bounty awards.

Microsoft reserves the right to reject any submission that we determine, at our sole discretion, falls into any of these categories of vulnerabilities even if otherwise eligible for a bounty. 

ADDITIONAL INFORMATION

For additional information, please see our FAQ

  • If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first submission.
  • If a duplicate report provides us new information that was previously unknown to Microsoft, we may award a differential to the duplicate submission. 
  • If a submission is potentially eligible for multiple bounty programs, you will receive the single highest payout award from a single bounty program.
  • Microsoft reserves the right to reject any submission at our sole discretion that we determine does not meet these criteria.

REVISION HISTORY 

  • October 12, 2023: Program launched.
  • April 11, 2024: Updated in scope products to Microsoft Copilot.