Microsoft Researcher Recognition Program

We’re working on a self-service way for researchers to know how many points they earned for each submitted case, but until then, please email msrcmvr@microsoft.com.

Points are assigned once the assessment has completed and moved to the “develop” status in the MSRC Researcher Portal.

• If you are the first person to submit a report for an unpatched vulnerability, you receive 100% of the points.
• If you are the second to submit a report, you receive 50% of the points.
• Additional reports of the same issue receive no points.

Example:

A report for a critical remote code execution vulnerability in Windows Hyper-V will receive 60 points and a 3X research bonus multiplier. 

• If you are the first to submit the report on this vulnerability, you receive 100% of the points, 60 x 3 = 180 points. 
• If your report is the first duplicate of this vulnerability, you receive 50% of the points, which is 60 x 3 x 0.5 = 90 points. 
• If a third report of the same vulnerability is received, it will receive 0 points. 

An example of a critical severity, information disclosure vulnerability is CVE-2014-0160.

A denial of service vulnerability in Windows Virtualization will receive 20 points. All others receive 5 points.

We award accuracy badges based on the percentage of valid vulnerability reports vs. the total number of reports submitted.

A report is considered as invalid when it is resolved as:

• Not a Security Vulnerability
• Won’t Fix
• No Repro

All else are considered as valid reports. 

Calculation

Percentage of valid vulnerability reports vs. total reports submitted.

Example:

• 10 reports in total 
• 1 report resolved as “Not a Security Vulnerability"
• 2 reports resolved as "Won't Fix"
• Valid reports = 10-1-2 = 7

Calculation: (7 ÷ 10) x 100% = 70%.

Your accuracy score: 70

Score Scale: 0-100

Based on your total points, you may be recognized in our public leaderboard and rankings. The Microsoft Researcher Recognition Program is “opt-in”, by default you are “anonymous”, but you may choose to be recognized by name or alias.

Want to “opt-in” to the Microsoft Researcher Recognition Program?

• Log into your MSRC Researcher Portal account. Navigate to the “Profile” section.
• In the “Community Profile” section, you will find the “Recognition Program Preference” field.
• Select “Opt-in to the researcher recognition program, display my Preferred Name” or “Opt-in to the researcher recognition program, display my name as Anonymous”.
• If you would like to be recognized by name or alias, in the “Account Name” section of your profile, you will find the “Preferred Name” field.

Ensure your “Recognition Program Preference” in your MSRC Researcher Portal profile is set to either “Opt-in to the researcher recognition program, display my name as Anonymous” or “Opt-out from the researcher recognition program”.

The Microsoft Researcher Recognition Program points model is not tied to the Microsoft Bounty Program. Cases that are out of scope for a bounty award may still be eligible for points through the Microsoft Researcher Recognition Program. Check out our program page for more information on what cases are eligible for points.

Yes! There is no limit to the number of leaderboards you are recognized in during a specific program period.

Yes, we award researchers points for each valid vulnerability reported to the MSRC. The source of the report isn’t important, so long as it’s under coordinated vulnerability disclosure. Reports submitted through ZDI or iDefense are eligible for points under this program.

Email us at msrcmvr@microsoft.com.