It’s important to recognize the contributions that security researchers make to the Microsoft security ecosystem through Coordinated Vulnerability Disclosure. This page explains the MSRC researcher recognition model: earning points and establishing a reputation.

EARNING POINTS

Each valid vulnerability reported to the Microsoft Security Response Center receives points based on the severity and impact of the vulnerability. The source of the report isn’t important so long it’s under CVD; reports submitted through Zero Day Initiative (ZDI) and iDefense are also eligible for points. 

Based on your total points, you may be recognized in our public leaderboard and rankings, annual Most Valuable MSRC Security Researcher list, and invited to participate in exclusive events and programs. Public recognition programs are always “opt-in”, by default you are anonymous but you may choose to be recognized by name or alias.

It works like this:

points-new

points-new

How do I earn points?

Base points are determined by the severity and security impact of the vulnerability you submit.

CRITICAL

IMPORTANT

MODERATE

LOW

OTHER

REMOTE CODE EXECUTION

60

40

N/A

N/A

N/A

ELEVATION OF PRIVILEGE

40

20

N/A

N/A

N/A

INFORMATION DISCLOSURE

30*

15

N/A

N/A

N/A

SPOOFING

20

15

N/A

N/A

N/A

SECURITY FEATURE BYPASS

N/A

10

N/A

N/A

N/A

TAMPERING

N/A

10

N/A

N/A

N/A

DENIAL OF SERVICE

N/A

5-20**

N/A

N/A

N/A

REPUDIATION

N/A

5

N/A

N/A

N/A

MITIGATION BYPASS***

N/A

N/A

N/A

N/A

60

* Example of a Critical Information Disclosure vulnerability: CVE-2014-0160
** A Denial of Service vulnerability in Windows Virtualization will receive 20 points. All others receive 5 points.
*** Submissions eligible for the Mitigation Bypass bounty program​ will receive 60 points, regardless of the Severity or Security Impact.

How do I get bonus multipliers?

Depending on the product or service affected, bonus multipliers may be applied to the base points. Vulnerabilities reported in certain products and services receive a bonus multiplier applied to their points. This list is subject to change over time, so keep an eye on the research bonus multipliers list!

3X RESEARCH AREAS​

Azure
Identity
Windows (Virtualization/Kernel)
Windows Defender
Mitigation Bypass
MSRC Portal

2X RESEARCH AREAS​

Windows 
Office 
Edge on Chromium 
PowerBI 
Developer Division 
    - .NET
    - Visual Studio
    - PowerShell Core
    - NuGet Package Manager

 

1X RESEARCH AREAS​

 

 

Research areas not included in the 3X 2X or Out of Scope list receive unmodified base points​

 

OUT OF SCOPE RESEARCH AREAS

Subdomain Takeover Vulnerabilities 
GitHub*  
LinkedIn*
End of Support Products

*Microsoft Security Response Center does not currently service vulnerabilities in GitHub or LinkedIn. To report an issue, go to GitHub’s Bug Bounty Program and LinkedIn’s Bug Bounty Program 

What if I report a vulnerability someone else already reported?

If you are the first person to submit a report for an unpatched vulnerability, you receive 100% of the points. If you are the second to submit a report, you receive 50% of the points. Additional reports of the same issue receive no points.

Example

A report for a critical remote code execution vulnerability in Windows Hyper-V will receive 60 points and a 3X research bonus. 

  • If you are the first to submit the report on this vulnerability, you receive 100% of the points, 60 x 3 = 180 points. 
  • If your report is the first duplicate of this vulnerability, you receive 50% of the points, which is 60 x 3 x 0.5 = 90 points. 
  • If a third report of the same vulnerability is received, it will receive 0 points. 
When are points assigned?

We’ll typically assign points within two weeks, after we have verified your report and determined that it meets our servicing criteria. Complex cases may take longer.

 

REPUTATION SCORES

Reputation scores include Accuracy and Significance measures . Reputation scores are not published and only provided to individual security researchers. High reputation scores may help us expedite your report triage and assessment.

 

ACCURACY

SIGNIFICANCE

PRIMARY MEASURE

Valid vulnerability reports

Critical/Important severity reports

DEFINITION

A report is considered as invalid when it is resolved as:
• Not a Security Vulnerability
• Won’t Fix
• No Repro

 

All else are considered as valid reports. 

Reports are cased and assigned Critical or Important severity

CALCULATION

Percentage of valid vulnerability reports vs. total reports you submit

 

Example:

• 10 reports in total 
• 1 report resolved as “Not a Security Vulnerability"
• 2 reports resolved as "Won't Fix"
• Valid reports = 10-1-2 = 7

 

Calculation: (7 ÷ 10) x 100% = 70%. 
Your accuracy score: 70

Percentage of Critical/Important reports vs. total reports you submit

 

Example:

• 10 reports in total 
• 3 reports are cased and assigned Critical severity 
• 3 reports are cased and assigned Important severity 
• Critical/Important reports = 3+3 = 6

Calculation: (6 ÷ 10) x 100% = 60%. 
Your significance score: 60

SCORE SCALE

0-100

0-100

REVISION HISTORY

2019-7-29: Information Published