Bug hunting in Microsoft products is possible through various means such as automated scanning, machine learning, and regular penetration testing by internal Microsoft teams and independent auditors. Microsoft also uses bug bounty programs to incentivize disclosure of new vulnerabilities, enabling them to be mitigated as soon as possible. As for learning how to do bug hunting, Microsoft offers various resources and training programs for security professionals, such as the Microsoft Security Development Lifecycle (SDL) and the Microsoft Professional Program in Cybersecurity.
References: