This is the Trace Id: df0138e3eace7ca968cb34a2354ee3a6
Skip to main content
MSRC

Microsoft Researcher Recognition Program

The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure.

Anyone who submits a security vulnerability to the Microsoft Security Response Center (MSRC) is eligible to participate.

To view our leaderboards, please visit the MSRC Leaderboard site.

Is this your first time reporting to the MSRC? Want to learn more about our case process? Visit our MSRC Researcher Resource Center to watch the Researcher Onboarding Video to learn about the Rules of Engagement, case process, available rewards through the Bounty Program, recognition points and leaderboards, and our disclosure process.

Program Overview

We award researchers points for each valid submission to the MSRC, and accumulated points earn researchers recognition on Microsoft’s Quarterly, Annual, and Technical Leaderboards, with the Top 100 from the Annual Leaderboard gaining the title of Most Valuable Researcher (MVR). MVRs may receive profile badges and swag for achievements in high impact, high accuracy research, and volume for their research. 

How do points work?

It works like this:

points-new

Base Points

We award researchers points for each valid vulnerability reported to the MSRC. Base points are determined by the severity and security impact of each vulnerability submitted.

CRITICAL IMPORTANT MODERATE LOW OTHER
REMOTE CODE EXECUTION
60
40
0
0
0
ELEVATION OF PRIVILEGE
40
20
0
0
0
INFORMATION DISCLOSURE
30
15
0
0
0
SPOOFING
20
15
0
0
0
SECURITY FEATURE BYPASS
0
10
0
0
0
TAMPERING
0
10
0
0
0
DENIAL OF SERVICE
0
5-20
0
0
0
REPUDIATION
0
5
0
0
0
MITIGATION BYPASS*
0
0
0
0
0

* Submissions eligible for the Mitigation Bypass bounty program​ will receive 60 points, regardless of the Severity or Security Impact.

Research Bonus Multipliers

We award additional bonus points for vulnerabilities found in certain high-impact products and services. This list is subject to change over time, so keep an eye on the research bonus multipliers list!

3X RESEARCH AREAS​
Azure (including but not limited to Azure Services such as Azure Portal, Cloud Shell, Cloud Service, Azure Kubernetes Service, Azure Functions, Key Vault, Azure DevOps)
Identity
Windows (Hyper-V and eligible attack scenarios)
2X RESEARCH AREAS​
Exchange Online 
Teams
Dynamics 365
Windows Defender
Edge on Chromium 
MSRC Portal
IoT
AI/ML
1X RESEARCH AREAS​
All other research areas not included in the 3X, 2X, or Out of Scope list
OUT OF SCOPE RESEARCH AREAS
Subdomain Takeover Vulnerabilities 
GitHub*  
LinkedIn*
End of Support Products

*Microsoft Security Response Center does not currently service vulnerabilities in GitHub or LinkedIn. To report an issue, go to GitHub’s Bug Bounty Program and LinkedIn’s Bug Bounty Program.

Duplicate Weighting

What if I report a vulnerability someone else already reported?

If you are the first person to submit a report for an unpatched vulnerability, you receive 100% of the points.

If you are the second to submit a report, you receive 50% of the points.

Additional reports of the same issue receive no points.

Leaderboards

Quarterly Leaderboard

Each quarter, we recognize all researchers who have received more than 20 points. In addition, we recognize researchers in specific research and technology areas in our Technical Leaderboards. Quarterly Technical Leaderboards recognize research in Azure, Office, Windows, and Dynamics. 

Annual Leaderboard

Each year, we recognize researchers who have received over 20 points over the entire program period. Each program period runs from July 1 to June 30. For example, the 2022/2023 program period runs from July 1, 2022, to June 30, 2023. 

Annual leaderboards include technical leaderboards for Azure, Office, Windows, and Dynamics. Researchers who do not make the MVR top 100 are eligible for quarterly leaderboards and will receive accuracy, impact, and volume badges where applicable on the published leaderboard page, but will not receive a digital form of the badge.  

Technical Leaderboard

Technical Leaderboards recognize researchers who have distinguished themselves through high-impact research in specific areas, including Azure, Office, and Windows on a quarterly basis, and Dynamics. Technical leaderboards publish the top 10 ranks for each technical group for both Quarterly and Annual Leaderboards. 

Annual Technical Leaderboards are not limited to the Top 100 and will feature all the Top 10 researchers each technical group regardless of MVR status.

Most Valuable Researcher

The top 100 researchers from the Annual Leaderboard will receive the title of Most Valuable Researcher and will receive digital badges. 

Digital Badges

Digital badges highlight researchers’ accomplishments throughout a program period and can be shared on professional profiles and social media such as LinkedIn and Twitter. The first badge recognizes our 2020 Most Valuable Security Researchers, with more badges to come!

  • Accuracy Badge: Recognizes researchers with 100% accuracy, meaning all their submissions were valid vulnerability reports 

  • Impact Badge: Recognizes high-impact work, with the average points per valid vulnerability report at or above the 90th percentile 

  • Volume Badge: Recognizes a larger body of work, requiring at least five valid vulnerability reports 

Swag

Each year, a specifically designed SWAG box is sent to Microsoft’s Most Valuable Security Researchers (MVRs). This generally happens in the Fall after the annual MVR announcement, and each researcher eligible for a SWAG box will be notified by our team.

SITE MAINTENANCE ANNOUNCEMENT:

We are making updates to how we publish our leaderboards! You can find the most recent leaderboards on our MSRC leaderboard site! Legacy leaderboards listed below will be migrated over within the next few weeks. 

azure leaderboard image
Q4 2022 Office leaderboard image
Q4 2022 Windows leaderboard

Recognition Period

This 2022 Q4 leaderboard reflects point values for cases that are:

  • Submitted and assessed by the MSRC team between October 1, 2022, and December 31, 2022 
  • Submitted between July 1, 2022, and September 30, 2022 (last program period), but assessed after October 1, 2022.
2022 Q3 Leaderboard - Azure
2022 Q3 Leaderboard - Office
2022 Q3 Leaderboard - Windows

Recognition Period

This 2022 Q3 leaderboard reflects point values for cases that are:

  • Submitted and assessed by the MSRC team between July 1, 2022, and September 30, 2022
  • Submitted between April 1, 2022 and June 30, 2022 (last program period), but assessed after July 1, 2022

2021/2022 Recognition Period

Dates: July 1, 2021 – June 30, 2022

2022 Most Valuable Researchers

Click here for the full list of researchers recognized.

 

2022 Most Valuable Researchers - Azure
2022 Most Valuable Researchers - Dynamics
2022 Most Valuable Researchers - Office
2022 Most Valuable Researchers - Windows
2022 Q2 Leaderboard - Azure
2022 Q2 Leaderboard - Office
2022 Q2 Leaderboard - Windows

Recognition Period

This 2022 Q2 leaderboard reflects point values for cases that are:

  • Submitted and assessed by the MSRC team between April 1, 2022, and June 30, 2022
  • Submitted between January 1, 2022 and March 31, 2022 (last program period), but assessed after April 1, 2022


2022 Q1 Security Researcher Leaderboard

Click here for the full list of researchers recognized this quarter.

 

2022 Q1 Leaderboard - Azure
2022 Q1 Leaderboard - Office
2022 Q1 Leaderboard - Windows

Recognition Period

This 2022 Q1 leaderboard reflects point values for cases that are:

  • Submitted and assessed by the MSRC team between January 1, 2022, and March 31, 2022
  • Submitted between October 1, 2021 and December 31, 2021 (last program period), but assessed after January 1, 2022
 

2021 Q4 Security Researcher Leaderboard

Click here for the full list of researchers recognized this quarter.

2021 Q4 Leaderboard - Azure
2021 Q4 Leaderboard - Office
2021 Q4 Leaderboard - Windows

Recognition Period

This 2021 Q4 leaderboard reflects point values for cases that are:

  • Submitted and assessed by the MSRC team between October 1, 2021, and December 31, 2021
  • Submitted between July 1, 2021 and September 30, 2021 (last program period), but assessed after October 1, 2021


Additional Information

Check out the frequently asked questions (FAQs). Still have questions? Email us at msrcmvr@microsoft.com.


Blog Posts

Revision History

  • 2019-07-29: Information Published
  • 2020-01-28: Added Related Posts section
  • 2020-04-23: Added published blog posts
  • 2020-07-15: Added published blog post
  • 2020-08-05: Added published blog post and updated research bonus multipliers table
  • 2020-10-15: Added published blog post
  • 2021-01-14: Added published blog post
  • 2021-02-10: Added Current Recognition Period section and updated research bonus multipliers table
  • 2021-04-15: Added published blog post
  • 2021-07-15: Added published blog post
  • 2021-08-04: Added published blog post
  • 2021-10-14: Added published blog post
  • 2022-02-01: Re-designed program page. Added link to FAQs.
  • 2022-04-21: Added published blog post and 2022 Q1 leaderboard.
  • 2022-07-19: Added published blog post and 2022 Q2 leaderboard.
  • 2022-08-08: Added published blog post and 2022 MVRs.
  • 2022-10-24: Added published blog post and 2022 Q3 leaderboard.
  • 2023-01-26: Added published blog post and 2022 Q4 leaderboard.
  • 2023-04-13: Added published blog post and 2023 Q1 leaderboard.