Microsoft BlueHat

Day 2 of #ZeroDayQuest brought even more hacking, problem-solving, and unforgettable moments. We then went to Carmine’s for incredible food and even better conversation, connecting over vulnerabilities, defense strategies, and a shared passion for protecting customers. Tonight, we're wrapping up with closing ceremonies and a reception at the Space Needle.

Day 1 of the Zero Day Quest Onsite Hacking Event is in the books and we’ve kicked off Day 2. We welcomed top security researchers from around the world to Microsoft’s Redmond campus for a day of live hacking, collaboration, and connection. Researchers worked side-by-side with Microsoft engineers and product teams to identify vulnerabilities across our AI and cloud platforms. Lots of amazing reports and discussions flowed throughout the day with MSRC, product teams, and the researchers themselves all driving security forward together. We wrapped the day with a Seattle Kraken vs. Tampa Bay Lightning game in Seattle (tough loss, but the vibes were strong!). We’re incredibly grateful to the security researcher community. Your work makes a real impact in helping protect customers. #ZeroDayQuest

Today, we’re welcoming top security researchers from around the world to Microsoft’s Redmond campus for the first official day of the Zero Day Quest Onsite Hacking Event. They’ll collaborate with Microsoft engineers and product teams to uncover vulnerabilities across our AI and cloud platforms over the next two days. We’re thankful for the security researcher community and the impact their work has in helping protect customers. #ZeroDayQuest

We’re excited to welcome some of the world’s top security researchers to Zero Day Quest 2026 🎉 We kicked off the onsite hacking event with bowling, followed by dinner and drinks with incredible views. It’s the start of a full week of security research, collaboration with Microsoft teams, and social events including a Kraken hockey game, a brunch cruise, and more. We’re grateful to every researcher who qualified and joined us in person, as well as those participating remotely. Their work and partnership with Microsoft help protect customers and communities around the world. #ZeroDayQuest

@g0w6y Congrats, Gouri! Onwards and upwards. 🚀

Turns out I'm the youngest documented Indian bug bounty hunter to earn $10K+ from @Microsoft via MSRC multiple reports, multiple Hall of Fames, all at 18. Just a curious kid who loved breaking things to secure them. #BugBounty #MSRC #EthicalHacking #CyberSecurity #Kerala

Planning to join us at BlueHat Redmond this May? Registration is open, but it closes March 31. Submit your application to attend now: aka.ms/bluehatreg

It’s go time. ⏰ Submit your BlueHat Redmond CFP by midnight Pacific Time tonight.

Security research never stops. Meet Zhiniang Peng (@edwardzpeng), Microsoft MVR and two‑time Zero Day Quest Qualifier, whose persistence and curiosity continue to push security research forward. 👉 Read his story on the MSRC blog: microsoft.com/en-us/msrc/blo…

⏰ Just 3 days left to submit to the BlueHat Redmond CFP! Don’t miss the chance to share your work with the security community. Submit your abstract: aka.ms/BH26CFP #BlueHat

Still thinking about submitting to BlueHat Redmond? We're opening a final Call for Papers submission windows through Friday, March 6. If you’ve got research, lessons learned, or a perspective worth sharing, now’s the time to share your work with the security community. Submit your abstract here: aka.ms/BH26CFP #BlueHat

🚨 Last call 🚨 The BlueHat Call for Papers closes Feb 28. If you have original security research, hard won lessons, or insights the community can learn from, now’s the time to submit. Submit before the CFP closes tomorrow: aka.ms/BH26CFP

Ping me if you have questions about the CFP process or want to brainstorm a paper/talk you're considering submitting. (TL;DR - you should submit!)

Only 4 more days to submit your BlueHat Redmond CFP. We can’t wait to see what you share with the community. Submit your paper by February 28, 2026: aka.ms/BH26CFP #BlueHat

What does cross-tenant RCE at scale actually look like in the cloud? In this BlueHat Asia talk, Microsoft MVR and Zero Day Quest qualifier Tzah Pahima (@TzahPahima) walks through real-world research into Azure shared infrastructure, from an initial signal to cross‑tenant remote code execution (and a very real “getting caught” moment). From Microsoft Purview and integration runtimes to Azure Synapse and Data Factory, this talk highlights how shared compute, connector design, and fragile mitigations can quietly create powerful attack paths. Watch the full talk on YouTube: youtube.com/watch?v=cYCjFw… Inspired to share your own research? The BlueHat Redmond Call for Papers is open through February 28. Submit your talk: aka.ms/BH26CFP

🎉 BlueHat Redmond registration is officially open! 🎉 We’re excited to welcome the security community back to Microsoft’s Redmond campus for BlueHat 2026, taking place May 5–6, 2026. Don’t miss your chance to connect, learn, and share with the community. ➡️Register now: aka.ms/bluehatreg

We’re excited to announce Mark Russinovich as a keynote speaker at BlueHat Redmond, from May 5-6, 2026. Mark Russinovich is CTO, Deputy CISO, and Technical Fellow for Microsoft Azure. A widely recognized expert in distributed systems, operating systems, and cybersecurity, Mark holds a Ph.D. in computer engineering from Carnegie Mellon University and co‑founded Winternals Software before joining Microsoft in 2006. A frequent speaker at Microsoft Ignite, Microsoft Build, and RSA Conference, Mark is also the author of Windows Internals, Troubleshooting with the Sysinternals Tools, and the cyber‑thriller novels Zero Day, Trojan Horse, and Rogue Code. Mark previously delivered a keynote at BlueHat 2023, and we’re excited to welcome him back. Watch his 2023 keynote here: youtube.com/watch?v=8hXBqp…

From a shared family PC to uncovering critical vulnerabilities in Microsoft identity systems. Meet Asem Eleraky (@Melotover), a Microsoft Valuable Researcher and Zero Day Quest qualifier, whose story proves that deep focus, iteration, and curiosity can unlock some of the hardest targets in security: msft.it/6010QPDzn

The global security research community plays a critical role in protecting Microsoft customers. As Tom Gallagher (@secbughunter), VP of Engineering at MSRC, shares in today’s announcement, we’re evolving how researcher impact is recognized. Starting with the July 2026 Most Valuable Researcher (MVR) leaderboard, rankings will be based on bounty award amounts, providing a consistent signal that aligns recognition with vulnerability severity and security outcomes. We’re also introducing honorable mentions to recognize all researchers who submit valid vulnerability reports, independent of ranking. Read the full announcement for more details: msft.it/6013Q3zlv

At BlueHat Asia, Harish Poornachander (Security Engineer at NetApp and MSRC Most Valuable Researcher 2024) breaks down how real‑world CI/CD and DevSecOps missteps lead to poisoned pipeline execution, secret exfiltration, and privilege escalation. In this talk, Harish walks through concrete failure modes seen across modern pipelines, including: • Untrusted PR execution and pull_request_target pitfalls • Command injection via unsanitized inputs • Issue‑comment workflows that unintentionally grant “CLI access” • Artifact poisoning and unsafe extraction paths • Self‑hosted runner persistence risks • Privilege escalation via workflow_run • Approval and merge bypasses involving bot identities He closes with clear, actionable mitigations, from least‑privilege tokens and commit SHA pinning to safer artifact handling and operational monitoring, with notes on similar patterns in GitHub Actions, Azure DevOps, CircleCI, and AWS CodeBuild. Watch the full talk: youtube.com/watch?v=eZhkR2… View the slides here: linkedin.com/feed/update/ur…