Inside the MSRC – How we recognize our researchers

This is the first of a series of blog entries to give some insight into the Microsoft Security Response Center (MSRC) business and how we work with security researchers and vulnerability reports.

The Microsoft Security Response Center actively recognizes those security researchers who help us to protect our several billion customers and their endpoints in several ways. We split our acknowledgments into three distinct categories, CVE qualified submissions, online services, and bug bounty. It is possible that a single submission will be acknowledged by one or more of these categories. We update our acknowledgements each month with the latest findings and submissions.

When it comes to recognizing our researchers through Coordinated Vulnerability Disclosure (CVD), if the finding that was submitted was impactful enough to be addressed in our monthly bulletin release (more on that in our next blog) it will be assigned a CVE number that is credited to the researcher. The researcher and their associated CVE are acknowledged monthly here in the MSRC Security Update Guide.

Our Online Services Security Researcher Acknowledgements credit those researchers who are involved with making our online platforms safer by not only submitting their findings, but also working closely with us to fix vulnerabilities discovered during their research. We draw an immense body of knowledge and capability through direct engagement with security researchers who test and evaluate our online services spaces. Together with our Operational Security Assessment work, we are constantly improving our offerings and providing a secure experience to our customers globally.

Finally, the Microsoft Bug Bounty program offers a unique acknowledgment platform to reward security researchers with cash and other prizes for submitting their findings inside of our eligible bounty programs. Security researchers (aka “Bounty Hunters”) can potentially earn anywhere between five hundred dollars and two hundred fifty thousand dollars for each submission to the Microsoft Bug Bounty program. Currently we offer nine different bounty programs where there is an opportunity to earn money for submissions.

The security community is full of great research and insight, we all succeed when we come together on a common platform.  We appreciate working with security researchers to better customer security and ensure our products and services continue to evolve with the threat landscape.  Public acknowledgements are just one way we want to interact and support security research in the community.  A big thank you to all the researchers that have and continue to engage directly with us.

Our next blog entry will look at what sort of reports go into our monthly security update cycle.  Stay tuned.


Phillip Misner,

Principal Security Group Manager

Microsoft Security Response Center