We deeply appreciate the partnership of the many talented security researchers who report vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure. We pay bounties for research in key areas, and each year at Black Hat USA, we’ve recognized the most impactful researchers helping to protect the ecosystem. That’s not changing; we’re continuing to expand our bounty programs and will continue to recognize researchers with the greatest impact on the security ecosystem.
What’s changing is that we’re making our recognition model more transparent and predictable and establishing a tier-based system of rewards.
The new model is a standard points system to reflect the impact and reputation of all researchers who report to us, whether directly or through a program like Trend Micro’s Zero Day Initiative (ZDI) and iDefense. This model has two aspects: the points you earn for each actionable report you make, and your reputation score you develop for the proportion of actionable reports you make.
For full details of how you earn report points (including bonus multipliers) and develop a reputation score, see our program page. You gain points not when your report is fixed, but when it is determined to be a valid security issue that meets the bar for servicing. This new model is independent of our bounty program. When you report bounty-eligible vulnerabilities, you’ll earn points and get bounties.
As a security researcher, this model provides you with a simple way to maximize your research for higher point values and develop a reputation for more accuracy. The more research points you have and the greater your reputation score, the more you’re eligible for, including but not limited to:
- Public recognition on our leaderboard and rankings
- Annual recognition on the MSRC’s Most Valuable Security Researcher list
- Special swag for each tier
- Access to invitation-only MSRC events and programs
We’ll announce more updates to public recognition and rewards structure as they become available. Stay tuned!
Sylvie Liu, Security Program Manager, MSRC Community Programs