MSRC Researcher Resource Center

Microsoft partners with the global security researcher community to surface and report security vulnerabilities to protect all end users of Microsoft products and services. This Resource Center will house educational content, including videos, blogs, and interviews, aimed at guiding and empowering Microsoft researchers in their efforts. Through researcher submissions, we address immediate threats while also identifying trends and insights to holistically improve the security of our attack surface. Through providing educational materials from both Microsoft employees and the MSRC’s top external researchers, we hope to support your security research growth! 

Watch the Researcher Onboarding Video to learn about the Rules of Engagement, case process, available rewards through the Bounty Program, Recognition Program points and leaderboards, and our disclosure process.

Microsoft Security Response Center (MSRC) will require Multi-Factor Authentication (MFA) across its public-facing portals, including the Microsoft Active Protections Program (MAPP) and the Researcher Portal. This initiative is another step forward in securing access to sensitive vulnerability data and aligns with Microsoft’s broader commitment to Zero Trust. By enabling MFA across MSRC portals, we are raising the bar for secure access but also ensuring that our partners and researchers can continue their work with confidence and minimal disruption.

Frequently Asked Questions (FAQ)

When will MFA be enforced on sign-in?

MSRC will enforce MFA sign-in starting December 1, 2025.

How will MFA be enforced?

When you sign in to one of the MSRC portals, you will be prompted to set up MFA before you are allowed to access the portal.  All subsequent sign-ins will require you to authenticate using MFA.

If you use a Microsoft Identity (work or personal) to sign-in that is already MFA enabled, you will not be prompted for MFA during sign-in.

Can I opt out of MFA? 

No, all users accessing these portals will need to perform MFA.

What are the options available for MFA?

MSRC portals will support one of

1. Receiving a One Time Password (OTP) to the email used to sign in.

2. Using a Time-based OTP (TOTP) in the Microsoft Authenticator application registered during setup. Note to set up the Authenticator app you will first need to verify your identity with an email one-time password.

Which application do I use for getting MFA codes?

For TOTP verification, you will need to use the Microsoft Authenticator application. 

On IOS: Microsoft Authenticator on the App Store

On Android: Microsoft Authenticator - Apps on Google Play

What is the requirement for me to successfully authenticate with MFA?

1. You can receive emails from MSRC to receive an OTP.

2. You have TOTP setup in the Microsoft Authenticator application.

What is the behavior if my account is already MFA enabled?

If you previously opted-in to perform MFA, your authentication experience will not change.

If you use a Microsoft Identity (work or personal) to sign-in that is already MFA enabled, you will not be prompted for MFA during sign-in.

If you use a Google account or create a local account with MSRC, you will be required to setup and authenticate via MFA within the MSRC portal. 

What do I do if I lose one of my MFA methods?

If you lose your device on which you receive your TOTP code, you can setup a different device during sign-in. You will be asked to verify a code that will be sent to the email used with the account. 

If you lose your email account that is tied to accessing MSRC portals, MSRC will disable the account and you will need to create a new account.

I opted out of MFA. Can I change my preference before enforcement?

MFA opt-in is a one-time choice and cannot be changed after it’s set. If you opted out, enforcement will begin on December 1st and MFA will be enabled at that time.

How can I check the email associated with my account?

When you sign in with MFA, you’ll see a partially masked version of the email linked to your MSRC account. This email cannot be changed.

Why am I not receiving the one-time password emails? 

If you’re not receiving one-time password (OTP) emails, first check out your spam or junk folder. Then, add the sender address to your safe senders list. These emails are sent from msonlineservicesteam@microsoftonline.com, so please make sure to whitelist the microsoftonline.com domain to ensure delivery.

Who do I reach out to if I am having trouble signing in with MFA?

For support, reach out via email to msrc-portals-support@microsoft.com.

Listen in as Top Microsoft Researchers and employees share their approach to security research.

Ready to level up? Check out free research-focused educational resources offered by security research industry partners!

Hack The Box Labs
An online playground for cybersecurity students and enthusiasts, offering a wide range of hands-on labs that simulate real-world threats and attack scenarios. Platform members can test and enhance their skills across different domains – from beginner to advanced levels, from offensive to defensive – and collaborate with a global community. If you're looking to sharpen your hacking abilities and stay ahead in the constantly evolving world of cyber threats, you can start now for free here. 

Hacker101
Hacker101 is a free class for web security. Whether you’re a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you. Start learning!

Bugcrowd University
Welcome to Bugcrowd University! Join us for free and begin your journey to become a white hat hacker. Bugcrowd University was created to help you learn the basics of hacking and bug bounty hunting. Get started!