The Making of the Top 100 Researcher List

At Black Hat USA each year, we unveil the Top 100 Security Researcher list to reflect the amazing engagement we get from the community. During this period, we had several thousand researchers engage with the Microsoft Security Response Center (MSRC). We appreciate all the partnership and coordination that goes on throughout the year. The Top 100 list gives us a chance to give a special shout out to some of the most productive researchers in the year. As we get closer to the reveal, a common theme in questions around the unveiling is, “how do I get my name up there?” This year we will give you an insider view into the making of the Top 100 list.

To produce the list, we first start with all cases fixed between July 1, 2017, and June 30, 2018. We take this first slice to reflect the cases that were addressed. Reports that end up being fixed later will get counted in the following year’s tally. We then sort by acknowledgements to determine the researcher and extrapolate from those reporting through third parties, like ZDI or iDefense. Now enters the math. Not all vulnerabilities are the same. We weigh the list based off security impact and then assigned severity. We do this to focus and recognize research that has larger impact on customers. Security impact is differentiated on a scale of 1-20 and severity is scored 1-3. Finally, we adjust to acknowledge the research in the Mitigation Bounty and Bounty for Defense that typically have lower security impacts, but broaden defenses for all customers. Then it is just a matter of drawing the line at 100. Researchers with the same weighted score are given the same listing on the chart. We cut the number as close to 100 as possible, accounting for ties.

The list is final and will be unveiled at Black Hat USA the morning of Wednesday, August, 8th. We will also post the results in our blog and at the Microsoft Community Party during Black Hat. Thank you to all our researchers for the hard work and partnership you have had with us throughout the year. We look forward to working with you more in the year to come.

Phillip Misner
Principal Security Group Manager

Microsoft Security Response Center