In a significant move to bolster the security of its AI-driven products, Microsoft has expanded its Copilot AI (artificial intelligence) bug bounty program, with the company now offering rewards of up to $30,000 to ethical security researchers for identifying critical vulnerabilities in Dynamics 365 and Power Platform.
This initiative highlights the companyโs commitment to proactively addressing potential security threats and ensuring the robustness of its growing AI ecosystem.
For those unaware, Power Platform is a low-code platform created to allow businesses toย analyze data, build solutions, automate processes, and create virtual agentsย to overcomeย businessย challenges, while Dynamics 365 is a suite of cloud-based business apps that connects several business operations, including customers, products, and teams.
Expanded Scope and Increased Rewards
The expanded bug bounty program now includes a broader range of Copilot consumer products, including integrations with messaging platforms like Telegram and WhatsApp, as well as web-based platforms like copilot.microsoft.com and copilot.ai.
Researchers are encouraged to discover and report vulnerabilities across these platforms, with rewards determined based on the severity of the identified issues. Under the updated bug bounty program:
- Critical vulnerabilities can earn researchers up to $30,000.
- Important vulnerabilities may fetch rewards ranging from $1,000 to $20,000.
- Moderate vulnerabilities, previously not eligible for monetary rewards, now offer up to $5,000.
- Low-severity vulnerabilities remain ineligible for rewards.?
This tiered reward system includes a variety of security concerns with particular emphasis on AI-related vulnerabilities, such as inference manipulation, model manipulation, and inferential information disclosure.
“We invite individuals or organizations to identify security vulnerabilities in targeted Dynamics 365 and Power Platform applications and share them with our team. Qualified submissions are eligible for bounty rewards of $500 to $30,000 USD,” the companyย said.
“To be eligible for AI Bounty Awards, such vulnerability must be Critical or Important severity as defined in the Microsoft Vulnerability Severity Classification for AI Systems and reproducible on a product or service listed in the In Scope Services and Products.”
Focus on AI Security
To ensure consistency and transparency, Microsoft has aligned the Copilot bug bounty program with its Online Services Bug Bar, which provides a standardized framework for evaluating the severity of reported flaws across its online services. This initiative is part of Microsoft’s broader Secure Future Initiative (SFI), launched in November 2023 to improve cybersecurity measures across all products and services.
For more information on participating in Microsoft’s bug bounty programs, interested security researchers can visit the official Microsoft Security Response Center website.
