Microsoft Researcher Recognition Program
The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure.
Anyone who submits a security vulnerability to the Microsoft Security Response Center (MSRC) is eligible to participate.
To view our leaderboards, please visit the MSRC Leaderboard site.
Program Overview
We award researchers points for each valid submission to the MSRC, and accumulated points earn researchers recognition on Microsoft’s Quarterly, Annual, and Technical Leaderboards, with the Top 100 from the Annual Leaderboard gaining the title of Most Valuable Researcher (MVR). MVRs may receive profile badges and swag for achievements in high impact, high accuracy research, and volume for their research.
How do points work?
It works like this:
points-new
Base Points
We award researchers points for each valid vulnerability reported to the MSRC. Base points are determined by the severity and security impact of each vulnerability submitted.
|
CRITICAL |
IMPORTANT |
MODERATE |
LOW |
OTHER |
|
|---|---|---|---|---|---|
|
REMOTE CODE EXECUTION |
60 |
40 |
0 |
0 |
0 |
|
ELEVATION OF PRIVILEGE |
40 |
20 |
0 |
0 |
0 |
|
INFORMATION DISCLOSURE |
30 |
15 |
0 |
0 |
0 |
|
SPOOFING |
20 |
15 |
0 |
0 |
0 |
|
SECURITY FEATURE BYPASS |
0 |
10 |
0 |
0 |
0 |
|
TAMPERING |
0 |
10 |
0 |
0 |
0 |
|
DENIAL OF SERVICE |
0 |
5-20 |
0 |
0 |
0 |
|
REPUDIATION |
0 |
5 |
0 |
0 |
0 |
|
MITIGATION BYPASS* |
0 |
0 |
0 |
0 |
60 |
* Submissions eligible for the Mitigation Bypass bounty program will receive 60 points, regardless of the Severity or Security Impact.
Research Bonus Multipliers
We award additional bonus points for vulnerabilities found in certain high-impact products and services. This list is subject to change over time, so keep an eye on the research bonus multipliers list!
|
3X RESEARCH AREAS |
Azure (including but not limited to Azure Services such as Azure Portal, Cloud Shell, Cloud Service, Azure Kubernetes Service, Azure Functions, Key Vault, Azure DevOps) |
|
2X RESEARCH AREAS |
Exchange Online |
|
1X RESEARCH AREAS
|
All other research areas not included in the 3X, 2X, or Out of Scope list |
|
OUT OF SCOPE RESEARCH AREAS |
Subdomain Takeover Vulnerabilities |
*Microsoft Security Response Center does not currently service vulnerabilities in GitHub or LinkedIn. To report an issue, go to GitHub’s Bug Bounty Program and LinkedIn’s Bug Bounty Program.
Duplicate Weighting
What if I report a vulnerability someone else already reported?
If you are the first person to submit a report for an unpatched vulnerability, you receive 100% of the points.
If you are the second to submit a report, you receive 50% of the points.
Additional reports of the same issue receive no points.
Leaderboards
Quarterly Leaderboard
Each quarter, we recognize all researchers who have received more than 20 points. In addition, we recognize researchers in specific research and technology areas in our Technical Leaderboards. Quarterly Technical Leaderboards recognize research in Azure, Office, and Windows.
Annual Leaderboard
Each year, we recognize researchers who have received over 20 points over the entire program period. Each program period runs from July 1 to June 30. For example, the 2022/2023 program period runs from July 1, 2022, to June 30, 2023.
Annual leaderboards include technical leaderboards for Azure, Office, Windows, and Dynamics. Researchers who do not make the MVR top 100 are eligible for quarterly leaderboards and will receive accuracy, impact, and volume badges where applicable on the published leaderboard page, but will not receive a digital form of the badge.
Technical Leaderboard
Technical Leaderboards recognize researchers who have distinguished themselves through high-impact research in specific areas, including Azure, Office, and Windows on a quarterly basis, and Dynamics on an annual basis. Technical leaderboards publish the top 10 ranks for each technical group for both Quarterly and Annual Leaderboards. Badges for technical leaderboards will be calculated using the points of only those cases that pertain to the technical research areas.
Most Valuable Researcher
The top 100 researchers from the Annual Leaderboard will receive the title of Most Valuable Researcher and will receive digital badges.
Digital Badges
Digital badges highlight researchers’ accomplishments throughout a program period and can be shared on professional profiles and social media such as LinkedIn and Twitter. The first badge recognizes our 2020 Most Valuable Security Researchers, with more badges to come!
-
Accuracy Badge: Recognizes researchers with 100% accuracy, meaning all their submissions were valid vulnerability reports
-
Impact Badge: Recognizes high-impact work, with the average points per valid vulnerability report at or above the 90th percentile
-
Volume Badge: Recognizes a larger body of work, requiring at least five valid vulnerability reports
Swag
Each year, a specifically designed SWAG box is sent to Microsoft’s Most Valuable Security Researchers (MVRs). This generally happens in the Fall after the annual MVR announcement, and each researcher eligible for a SWAG box will be notified by our team.
SITE MAINTENANCE ANNOUNCEMENT:
We are making updates to how we publish our leaderboards! You can find the most recent leaderboards on our MSRC leaderboard site! Legacy leaderboards listed below will be migrated over within the next few weeks.
2022 Q4 Security Researcher Leaderboard
Click here for the full list of the researchers recognized this quarter.
Q4 2022 Azure leaderboard image
Q4 2022 Office leaderboard image
Q4 2022 Windows leaderboard
Recognition Period
This 2022 Q4 leaderboard reflects point values for cases that are:
- Submitted and assessed by the MSRC team between October 1, 2022, and December 31, 2022
- Submitted between July 1, 2022, and September 30, 2022 (last program period), but assessed after October 1, 2022.
2022 Q3 Security Researcher Leaderboard
Click here for the full list of the researchers recognized this quarter.
2022 Q3 Leaderboard - Azure
2022 Q3 Leaderboard - Office
2022 Q3 Leaderboard - Windows
Recognition Period
This 2022 Q3 leaderboard reflects point values for cases that are:
- Submitted and assessed by the MSRC team between July 1, 2022, and September 30, 2022
- Submitted between April 1, 2022 and June 30, 2022 (last program period), but assessed after July 1, 2022
2021/2022 Recognition Period
Dates: July 1, 2021 – June 30, 2022
2022 Most Valuable Researchers
Click here for the full list of researchers recognized.
2022 Most Valuable Researchers - Azure
2022 Most Valuable Researchers - Dynamics
2022 Most Valuable Researchers - Office
2022 Most Valuable Researchers - Windows
2022 Q2 Security Researcher Leaderboard
Click here for the full list of the researchers recognized this quarter.
2022 Q2 Leaderboard - Azure
2022 Q2 Leaderboard - Office
2022 Q2 Leaderboard - Windows
Recognition Period
This 2022 Q2 leaderboard reflects point values for cases that are:
- Submitted and assessed by the MSRC team between April 1, 2022, and June 30, 2022
- Submitted between January 1, 2022 and March 31, 2022 (last program period), but assessed after April 1, 2022
2022 Q1 Security Researcher Leaderboard
Click here for the full list of researchers recognized this quarter.
2022 Q1 Leaderboard - Azure
2022 Q1 Leaderboard - Office
2022 Q1 Leaderboard - Windows
Recognition Period
This 2022 Q1 leaderboard reflects point values for cases that are:
- Submitted and assessed by the MSRC team between January 1, 2022, and March 31, 2022
- Submitted between October 1, 2021 and December 31, 2021 (last program period), but assessed after January 1, 2022
2021 Q4 Security Researcher Leaderboard
Click here for the full list of researchers recognized this quarter.
2021 Q4 Leaderboard - Azure
2021 Q4 Leaderboard - Office
2021 Q4 Leaderboard - Windows
Recognition Period
This 2021 Q4 leaderboard reflects point values for cases that are:
- Submitted and assessed by the MSRC team between October 1, 2021, and December 31, 2021
- Submitted between July 1, 2021 and September 30, 2021 (last program period), but assessed after October 1, 2021
Additional Information
Check out the frequently asked questions (FAQs). Still have questions? Email us at msrcmvr@microsoft.com.
Blog Posts
- 2023-04-13: Congratulations to the top MSRC 2023 Q1 Researchers!
- 2023-01-26: Congratulations to the top MSRC 2022 Q4 Researchers!
- 2022-10-24: Congratulations to the Top MSRC 2022 Q3 Researchers!
- 2022-08-08: Congratulations to the MSRC 2022 Most Valuable Researchers!
- 2022-07-19: Congratulations to the Top MSRC 2022 Q2 Researchers!
- 2022-04-21: Congratulations and New Swag Awards for the Top MSRC 2022 Q1 Security Researchers!
- 2022-02-01: Congratulations to the Top MSRC 2021 Q4 Researchers!
- 2022-02-01: Expanding the Microsoft Researcher Recognition Program
- 2021-10-14: Congratulations to the Top MSRC 2021 Q3 Security Researchers!
- 2021-08-04: Congratulations to the MSRC 2021 Most Valuable Security Researchers!
- 2021-07-15: Announcing the Top MSRC 2021 Q2 Security Researchers - Congratulations!
- 2021-04-15: Congratulating Our Top MSRC 2021 Q1 Security Researchers!
- 2021-02-10: MSRC Security Researcher Recognition: 2021
- 2021-01-14: Top MSRC 2020 Q4 Security Researchers - Congratulations!
- 2020-10-15: Announcing the Top MSRC 2020 Q3 Security Researchers
- 2020-08-05: Congratulations to the MSRC’s 2020 Most Valuable Security Researchers
- 2020-07-15: Top MSRC 2020 Q2 Security Researchers Announced – Congratulations!
- 2020-04-23: Congratulating Our Top 2020 Q1 Security Researchers!
- 2020-02-03: Recognizing Security Researchers in 2020
- 2020-01-15: Announcing MSRC 2019 Q4 Security Researcher Leaderboard
- 2019-10-17: Announcing the Security Researcher Quarterly Leaderboard (2019 Q3)
- 2019-08-07: Announcing 2019 MSRC Most Valuable Security Researchers
- 2019-07-30: Recognizing Security Researchers in 2019
- 2019-07-29: It’s Official – The Way We Recognize Our Security Researchers
Revision History
- 2019-07-29: Information Published
- 2020-01-28: Added Related Posts section
- 2020-04-23: Added published blog posts
- 2020-07-15: Added published blog post
- 2020-08-05: Added published blog post and updated research bonus multipliers table
- 2020-10-15: Added published blog post
- 2021-01-14: Added published blog post
- 2021-02-10: Added Current Recognition Period section and updated research bonus multipliers table
- 2021-04-15: Added published blog post
- 2021-07-15: Added published blog post
- 2021-08-04: Added published blog post
- 2021-10-14: Added published blog post
- 2022-02-01: Re-designed program page. Added link to FAQs.
- 2022-04-21: Added published blog post and 2022 Q1 leaderboard.
- 2022-07-19: Added published blog post and 2022 Q2 leaderboard.
- 2022-08-08: Added published blog post and 2022 MVRs.
- 2022-10-24: Added published blog post and 2022 Q3 leaderboard.
- 2023-01-26: Added published blog post and 2022 Q4 leaderboard.
- 2023-04-13: Added published blog post and 2023 Q1 leaderboard.