Microsoft Researcher Recognition Program
The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure.
Anyone who submits a security vulnerability to the Microsoft Security Response Center (MSRC) is eligible to participate.
To view our leaderboards, please visit the MSRC Leaderboard site.
Is this your first time reporting to the MSRC? Want to learn more about our case process? Visit our MSRC Researcher Resource Center to watch the Researcher Onboarding Video to learn about the Rules of Engagement, case process, available rewards through the Bounty Program, recognition points and leaderboards, and our disclosure process.
Program Overview
We award researchers points for each valid submission to the MSRC, and accumulated points earn researchers recognition on Microsoft’s Quarterly, Annual, and Technical Leaderboards, with the Top 100 from the Annual Leaderboard gaining the title of Most Valuable Researcher (MVR). MVRs may receive profile badges and swag for achievements in high impact, high accuracy research, and volume for their research.
How do points work?
It works like this:
Base Points
We award researchers points for each valid vulnerability reported to the MSRC. Base points are determined by the severity and security impact of each vulnerability submitted.
| CRITICAL | IMPORTANT | MODERATE | LOW | OTHER | |
|---|---|---|---|---|---|
| REMOTE CODE EXECUTION |
60
|
40
|
0
|
0
|
0
|
| ELEVATION OF PRIVILEGE |
40
|
20
|
0
|
0
|
0
|
| INFORMATION DISCLOSURE |
30
|
15
|
0
|
0
|
0
|
| SPOOFING |
20
|
15
|
0
|
0
|
0
|
| SECURITY FEATURE BYPASS |
0
|
10
|
0
|
0
|
0
|
| TAMPERING |
0
|
10
|
0
|
0
|
0
|
| DENIAL OF SERVICE |
0
|
5
|
0
|
0
|
0
|
Research Bonus Multipliers
We award additional bonus points for vulnerabilities found in certain high-impact products and services. This list is subject to change over time, so keep an eye on the research bonus multipliers list!
| 3X RESEARCH AREAS |
Azure (including but not limited to Azure Services such as Azure Portal, Cloud Shell, Cloud Service, Azure Kubernetes Service, Azure Functions, Key Vault, Azure DevOps)
Identity Windows (Hyper-V and eligible attack scenarios) |
| 2X RESEARCH AREAS | |
| 1X RESEARCH AREAS |
All other research areas not included in the 3X, 2X, or Out of Scope list
|
| OUT OF SCOPE RESEARCH AREAS |
*Microsoft Security Response Center does not currently service vulnerabilities in GitHub or LinkedIn. To report an issue, go to GitHub’s Bug Bounty Program and LinkedIn’s Bug Bounty Program.
Duplicate Weighting
What if I report a vulnerability someone else already reported?
If you are the first person to submit a report for an unpatched vulnerability, you receive 100% of the points.
If you are the second to submit a report, you receive 50% of the points.
Additional reports of the same issue receive no points.
Leaderboards
Case points will be awarded based on Assessment Date time stamp to ensure that cases that span two recognition periods are not missed.
Each quarter, cases assessed within that quarter will recieve points.
Quarterly Leaderboard
Each quarter, we recognize all researchers who have received more than 20 points. In addition, we recognize researchers in specific research and technology areas in our Technical Leaderboards. Quarterly Technical Leaderboards recognize research in Azure, Office, Windows, and Dynamics.
Annual Leaderboard
Each year we recognize the MSRC's Most Valuable Researchers who have achieved the Top 100 ranks.
Each program period runs from July 1 to June 30. For example, the 2025/2026 program period runs from July 1, 2025, to June 30, 2026.
Annual leaderboards include technical leaderboards for Azure, Office, Windows, and Dynamics. Researchers who do not make the MVR top 100 are eligible for quarterly leaderboards and will receive accuracy, impact, and volume badges where applicable on the published leaderboard page, but will not receive a digital form of the badge.
Technical Leaderboard
Technical Leaderboards recognize researchers who have distinguished themselves through high-impact research in specific areas, including Azure, Office, Windows, and Dynamics. Technical leaderboards publish the top 10 ranks for each technical group for both Quarterly and Annual Leaderboards.
Annual Technical Leaderboards are not limited to the Top 100 and will feature all the Top 10 researchers each technical group regardless of MVR status.
Most Valuable Researcher
The top 100 researchers from the Annual Leaderboard will receive the title of Most Valuable Researcher and will receive digital badges.
Digital Badges
Digital badges highlight researchers’ accomplishments throughout a program period and can be shared on professional profiles and social media such as LinkedIn and Twitter. The first badge recognizes our 2020 Most Valuable Security Researchers, with more badges to come!
Accuracy Badge: Recognizes researchers with 100% accuracy, meaning all their submissions were valid vulnerability reports
Impact Badge: Recognizes high-impact work, with the average points per valid vulnerability report at or above the 90th percentile
Volume Badge: Recognizes a larger body of work, requiring at least five valid vulnerability reports
Swag
Researchers who earn a position on the quarterly leaderboards will receive a claim link to select swag from options list on SwagMagic.
Each year, a specifically designed SWAG box is sent to Microsoft’s Most Valuable Security Researchers (MVRs). This generally happens in the Fall after the annual MVR announcement, and each researcher eligible for a Swag box will be notified by our team.
How to set your Leaderboard Name or choose to be displayed as Anonymous
For all researchers, if you’d like to have your name included in ongoing Quarterly and Annual leaderboards, please confirm or update your “Preferred Name” in the Researcher Portal. Preferred names cannot be changed once published.
You can update your Preferred Name and change your Recognition Preference anytime by logging into your MSRC Researcher Portal account. Note, both fields must be filled out to be opted-in for recognition.
- Select your Recognition Program Preference
We periodically recognize our top performing researchers on publicly available web pages (e.g. leaderboards). Researcher recognition programs are always “opt-in”, by default you are anonymous, but you may choose to be recognized by name or alias. You can indicate your recognition preference by selecting one of the options below in your MSRC Researcher Portal profile:
- Opt-in to the researcher recognition program, display my name as Anonymous
- Opt-in to the researcher recognition program, display my Preferred Name
- Opt-out from the researcher recognition program
- Provide your Preferred Name for Recognition
If you selected to display your Preferred Name for leaderboard recognition, you can click “Edit” to update your Preferred Name
Additional Information
Check out the frequently asked questions (FAQs). Still have questions? Email us at msrcmvr@microsoft.com.
Blog Posts
- 2023-04-13: Congratulations to the top MSRC 2023 Q1 Researchers!
- 2023-01-26: Congratulations to the top MSRC 2022 Q4 Researchers!
- 2022-10-24: Congratulations to the Top MSRC 2022 Q3 Researchers!
- 2022-08-08: Congratulations to the MSRC 2022 Most Valuable Researchers!
- 2022-07-19: Congratulations to the Top MSRC 2022 Q2 Researchers!
- 2022-04-21: Congratulations and New Swag Awards for the Top MSRC 2022 Q1 Security Researchers!
- 2022-02-01: Congratulations to the Top MSRC 2021 Q4 Researchers!
- 2022-02-01: Expanding the Microsoft Researcher Recognition Program
- 2021-10-14: Congratulations to the Top MSRC 2021 Q3 Security Researchers!
- 2021-08-04: Congratulations to the MSRC 2021 Most Valuable Security Researchers!
- 2021-07-15: Announcing the Top MSRC 2021 Q2 Security Researchers - Congratulations!
- 2021-04-15: Congratulating Our Top MSRC 2021 Q1 Security Researchers!
- 2021-02-10: MSRC Security Researcher Recognition: 2021
- 2021-01-14: Top MSRC 2020 Q4 Security Researchers - Congratulations!
- 2020-10-15: Announcing the Top MSRC 2020 Q3 Security Researchers
- 2020-08-05: Congratulations to the MSRC’s 2020 Most Valuable Security Researchers
- 2020-07-15: Top MSRC 2020 Q2 Security Researchers Announced – Congratulations!
- 2020-04-23: Congratulating Our Top 2020 Q1 Security Researchers!
- 2020-02-03: Recognizing Security Researchers in 2020
- 2020-01-15: Announcing MSRC 2019 Q4 Security Researcher Leaderboard
- 2019-10-17: Announcing the Security Researcher Quarterly Leaderboard (2019 Q3)
- 2019-08-07: Announcing 2019 MSRC Most Valuable Security Researchers
- 2019-07-30: Recognizing Security Researchers in 2019
- 2019-07-29: It’s Official – The Way We Recognize Our Security Researchers
Revision History
- 2019-07-29: Information Published
- 2020-01-28: Added Related Posts section
- 2020-04-23: Added published blog posts
- 2020-07-15: Added published blog post
- 2020-08-05: Added published blog post and updated research bonus multipliers table
- 2020-10-15: Added published blog post
- 2021-01-14: Added published blog post
- 2021-02-10: Added Current Recognition Period section and updated research bonus multipliers table
- 2021-04-15: Added published blog post
- 2021-07-15: Added published blog post
- 2021-08-04: Added published blog post
- 2021-10-14: Added published blog post
- 2022-02-01: Re-designed program page. Added link to FAQs.
- 2022-04-21: Added published blog post and 2022 Q1 leaderboard.
- 2022-07-19: Added published blog post and 2022 Q2 leaderboard.
- 2022-08-08: Added published blog post and 2022 MVRs.
- 2022-10-24: Added published blog post and 2022 Q3 leaderboard.
- 2023-01-26: Added published blog post and 2022 Q4 leaderboard.
- 2023-04-13: Added published blog post and 2023 Q1 leaderboard.