The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure.

Anyone who submits a security vulnerability to the Microsoft Security Response Center (MSRC) is eligible to participate.

Program Overview

We award researchers points for each valid submission to the MSRC, and accumulated points earn researchers a spot on Microsoft’s quarterly and annual most valuable researcher leaderboards, as well as profile badges and swag for achievements in high impact, high accuracy research, and other areas.

How do points work?

It works like this:

points-new

points-new

Base Points

We award researchers points for each valid vulnerability reported to the MSRC. Base points are determined by the severity and security impact of each vulnerability submitted.

CRITICAL

IMPORTANT

MODERATE

LOW

OTHER

REMOTE CODE EXECUTION

60

40

0

0

0

ELEVATION OF PRIVILEGE

40

20

0

0

0

INFORMATION DISCLOSURE

30

15

0

0

0

SPOOFING

20

15

0

0

0

SECURITY FEATURE BYPASS

0

10

0

0

0

TAMPERING

0

10

0

0

0

DENIAL OF SERVICE

0

5-20

0

0

0

REPUDIATION

0

5

0

0

0

MITIGATION BYPASS*

0

0

0

0

60

* Submissions eligible for the Mitigation Bypass bounty program​ will receive 60 points, regardless of the Severity or Security Impact.

Research Bonus Multipliers

We award additional bonus points for vulnerabilities found in certain high-impact products and services. This list is subject to change over time, so keep an eye on the research bonus multipliers list!

3X RESEARCH AREAS​

Azure (including but not limited to Azure Services such as Azure Portal, Cloud Shell, Cloud Service, Azure Kubernetes Service, Azure Functions, Key Vault, Azure DevOps)
Identity
Windows (Hyper-V and eligible attack scenarios)

2X RESEARCH AREAS​

Exchange Online 
Teams
Dynamics 365
Windows Defender
Edge on Chromium 
MSRC Portal
IoT
AI/ML

 

1X RESEARCH AREAS​

 

 

All other research areas not included in the 3X, 2X, or Out of Scope list

OUT OF SCOPE RESEARCH AREAS

Subdomain Takeover Vulnerabilities 
GitHub*  
LinkedIn*
End of Support Products

*Microsoft Security Response Center does not currently service vulnerabilities in GitHub or LinkedIn. To report an issue, go to GitHub’s Bug Bounty Program and LinkedIn’s Bug Bounty Program.

Duplicate Weighting

What if I report a vulnerability someone else already reported?

  • If you are the first person to submit a report for an unpatched vulnerability, you receive 100% of the points.
  • If you are the second to submit a report, you receive 50% of the points.
  • Additional reports of the same issue receive no points.
How do leaderboards work?
Quarterly

Each quarter, we recognize all researchers that have received more than 20 points. In addition, we recognize researchers in specific research and technology area leaderboards who have submitted high impact vulnerabilities in areas like Azure and Windows.

Annual

Each year, we recognize researchers with the highest points over the entire program period. Each program period runs from July 1 to June 30. For example, the 2021/2022 program period runs from July 1, 2021, to June 30, 2022.

How does the accuracy score work? 

We award accuracy badges based on the percentage of valid vulnerability reports vs. the total number of reports submitted.

How do badges work?

Digital badges highlight researchers’ accomplishments throughout a program period and can be shared on professional profiles and social media such as LinkedIn and Twitter. The first badge recognizes our 2020 Most Valuable Security Researchers, with more badges to come!

How does SWAG work?

Each year, a specifically designed SWAG box is sent to Microsoft’s Most Valuable Security Researchers (MVRs). This generally happens in the Fall after the annual MVR announcement, and each researcher eligible for a SWAG box will be notified by our team.

Current Recognition Period

Dates: July 1, 2022 - June 30, 2023

Check back later for more leaderboards.

2021/2022 Recognition Period

Dates: July 1, 2021 – June 30, 2022

2022 Most Valuable Researchers

Click here for the full list of researchers recognized.

 

2022 Most Valuable Researchers - Azure

2022 Most Valuable Researchers - Azure

2022 Most Valuable Researchers - Dynamics

2022 Most Valuable Researchers - Dynamics

2022 Most Valuable Researchers - Office

2022 Most Valuable Researchers - Office

2022 Most Valuable Researchers - Windows

2022 Most Valuable Researchers - Windows

2022 Q2 Leaderboard - Azure

2022 Q2 Leaderboard - Azure

2022 Q2 Leaderboard - Office

2022 Q2 Leaderboard - Office

2022 Q2 Leaderboard - Windows

2022 Q2 Leaderboard - Windows

Recognition Period

This 2022 Q2 leaderboard reflects point values for cases that are:

  • Submitted and assessed by the MSRC team between April 1, 2022, and June 30, 2022
  • Submitted between January 1, 2022 and March 31, 2022 (last program period), but assessed after April 1, 2022
2022 Q1 Security Researcher Leaderboard

Click here for the full list of researchers recognized this quarter.

 

2022 Q1 Leaderboard - Azure

2022 Q1 Leaderboard - Azure

2022 Q1 Leaderboard - Office

2022 Q1 Leaderboard - Office

2022 Q1 Leaderboard - Office

2022 Q1 Leaderboard - Office

Recognition Period

This 2022 Q1 leaderboard reflects point values for cases that are:

  • Submitted and assessed by the MSRC team between January 1, 2022, and March 31, 2022

  • Submitted between October 1, 2021 and December 31, 2021 (last program period), but assessed after January 1, 2022
2021 Q4 Security Researcher Leaderboard

Click here for the full list of researchers recognized this quarter.

2021 Q4 Leaderboard - Azure

2021 Q4 Leaderboard - Azure

2021 Q4 Leaderboard - Office

2021 Q4 Leaderboard - Office

2021 Q4 Leaderboard - Windows

2021 Q4 Leaderboard - Windows

Recognition Period

This 2021 Q4 leaderboard reflects point values for cases that are:

  • Submitted and assessed by the MSRC team between October 1, 2021, and December 31, 2021
  • Submitted between July 1, 2021 and September 30, 2021 (last program period), but assessed after October 1, 2021

Additional Information

Check out the frequently asked questions (FAQs). Still have questions? Email us at msrcmvr@microsoft.com.

Blog Posts

Revision History

  • 2019-07-29: Information Published
  • 2020-01-28: Added Related Posts section
  • 2020-04-23: Added published blog posts
  • 2020-07-15: Added published blog post
  • 2020-08-05: Added published blog post and updated research bonus multipliers table
  • 2020-10-15: Added published blog post
  • 2021-01-14: Added published blog post
  • 2021-02-10: Added Current Recognition Period section and updated research bonus multipliers table
  • 2021-04-15: Added published blog post
  • 2021-07-15: Added published blog post
  • 2021-08-04: Added published blog post
  • 2021-10-14: Added published blog post
  • 2022-02-01: Re-designed program page. Added link to FAQs.
  • 2022-04-21: Added published blog post and 2022 Q1 leaderboard.
  • 2022-07-19: Added published blog post and 2022 Q2 leaderboard.
  • 2022-08-08: Added published blog post.