Skip to main content

It’s Official – The Way We Recognize Our Security Researchers

We deeply appreciate the partnership of the many talented security researchers who report vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure. We pay bounties for research in key areas, and each year at Black Hat USA, we’ve recognized the most impactful researchers helping to protect the ecosystem. That’s not changing; we’re continuing to expand our bounty programs and will continue to recognize researchers with the greatest impact on the security ecosystem.

What’s changing is that we’re making our recognition model more transparent and predictable and establishing a tier-based system of rewards.

The new model is a standard points system to reflect the impact and reputation of all researchers who report to us, whether directly or through a program like Trend Micro’s Zero Day Initiative (ZDI) and iDefense. This model has two aspects: the points you earn for each actionable report you make, and your reputation score you develop for the proportion of actionable reports you make.

Report Points
•You earn base points for valid reports and may earn bonus multipliers
•The first person to report a vulnerability will receive full points; the second report from another researcher will receive half points •By default you are anonymous but you may choose to be recognized by name or alias
Reputation Scores
•Your reputation scores reflect your report accuracy and significance
•Higher reputation scores contribute to faster triage (since you have established a track record)
•Your reputation scores will be private

For full details of how you earn report points (including bonus multipliers) and develop a reputation score, see our program page. You gain points not when your report is fixed, but when it is determined to be a valid security issue that meets the bar for servicing. This new model is independent of our bounty program. When you report bounty-eligible vulnerabilities, you’ll earn points and get bounties.

As a security researcher, this model provides you with a simple way to maximize your research for higher point values and develop a reputation for more accuracy. The more research points you have and the greater your reputation score, the more you’re eligible for, including but not limited to:

  • Public recognition on our leaderboard and rankings
  • Annual recognition on the MSRC’s Most Valuable Security Researcher list
  • Special swag for each tier
  • Access to invitation-only MSRC events and programs

We’ll announce more updates to public recognition and rewards structure as they become available. Stay tuned!

Sylvie Liu, Security Program Manager, MSRC Community Programs

Related Posts