MSRC Security Researcher Recognition: 2021

Wondering how to get into the 2021 MSRC Most Valuable Security Researcher list and get recognized during the Black Hat USA this August? Read on to learn more about the different paths you can take to get into the top researcher tiers.

The MSRC Most Valuable Security Researcher (MVR) and MSRC Contributor are tiers in the Researcher Recognition Program which annually recognize researchers for impactful contributions, considering report impact, accuracy and volume. We are excited to announce that new to the MVR tier for 2021 is a brand-new category, the ALL-STAR.

Choose Your Own Path to MSRC Top Researcher Tiers Choose Your Own Path to MSRC Top Researcher Tiers

2021 MSRC Most Valuable Security Researcher 2021 MSRC Most Valuable Security Researcher****How do I qualify? How do I qualify?

NEW for 2021, we are introducing the ALL-STAR category, which recognizes researchers who rise to meet our toughest challenge to date and awards researchers with additional points in the final ranking. Below, we break down each category, to help you identify which path is right for you:

• IMPACT (recognizes a smaller body of higher-impact work)

• Volume : at least three valid vulnerabilities during the evaluation period

• Impact : average points of valid vulnerability reports is at or above the 90th percentile for report impact

• Accuracy: at least 50% of your reports are valid (How do I calculate my accuracy score?)

• VOLUME (recognizes a larger body of work)

• Volume: at least five valid vulnerabilities during the evaluation period

• Impact: the average points of your valid vulnerability reports put you at or above the 50th percentile for report impact

• Accuracy: at least 50% of your reports are valid (How do I calculate my accuracy score?)

• ALL-STAR (recognizes a larger amount of high impact work)

• Volume: Minimum of five valid, qualifying vulnerabilities reported during the evaluation period

• Impact: the average points of your valid vulnerability reports put you at or above the 90th percentile for report impact

• Accuracy: at least 60 % of your reports are valid (How do I calculate my accuracy score?)

How are rankings determined in the Most Valuable Security Researcher List? How are rankings determined in the Most Valuable Security Researcher List?

Meeting the criteria for either the IMPACT, VOLUME or ALL-STAR category can get you into the 2021 MSRC Most Valuable Security Researcher tier. Once you’re in, your ranking will depend on the total points you’ve earned.

Researchers who reach the ALL-STAR category will get a 1.5X bonus multiplier for the total points earned in the final ranking. For example, a researcher who earned a total of 500 points and reached the ALL-STAR category will get 500 x 1.5 = 750 points in the final ranking.

What do I get? What do I get?

As a 2021 MSRC Most Valuable Security Researcher, you will be eligible for several benefits during the forthcoming twelve months, which may include but not be limited to:

• Annual recognition on the MSRC’s Most Valuable Security Researcher list announced during Black Hat USA
• Limited edition SWAG designed exclusively for Most Valuable Researchers
• Access to Microsoft products and services for research purposes
• Access to invitation-only MSRC events
• Invitation to private MSRC programs

2021 MSRC Contributor 2021 MSRC Contributor****How do I get in? How do I get in?

MSRC Contributor is the next tier in our Researcher Recognition Program. This tier recognizes researchers who are on the way to qualifying for the MVR tier. The criteria for this program are:

• Volume : you reported at least three valid vulnerabilities during the evaluation period
• Impact: the average points of valid vulnerability reports put you at or above the 50th percentile for report impact
• Accuracy : at least 50% of your reports are valid (How do I calculate my accuracy score?)

What do I get? What do I get?

If you are identified as a 2021 MSRC Contributor, you’re eligible for, including but not limited to:

• Special SWAG box for MSRC Contributors
• Access to invitation-only MSRC events

What is the period of time for program consideration? What is the period of time for program consideration?

To qualify for both the 2021 Most Valuable Security Researcher and MSRC Contributor recognition, cases must fall into either of these categories:

• Reported and assessed by the MSRC team between July 1, 2020 and June 30, 2021
• Reported between July 1, 2019 and June 30, 2020 (the previous program period), but assessed by the MSRC team after July 1, 2020.

What can you do next? What can you do next?

We are under six months away until the end of the program period. Here are some tips to help you get into the top tier:

• Start with a solid base: Not all vulnerabilities are equal in impact. By focusing your research on Critical and Important vulnerabilities, you start with the highest base points possible. Check the MSRC Researcher Recognition Program page for a breakdown of the base points you can earn for different Severity and Security Impact ratings.

• Multiply your impact: Review the MSRC Researcher Recognition Program page for research areas with the highest multipliers (e.g. Azure and Identity) for the biggest boost.

• Additional resources:

• Directory of Azure Services

• Example of High-Quality Reports

• Security Update Severity Rating System

• MSRC Research & Defense Blog

• HackerOne’s Hacker101 training

• Bugcrowd University

• Microsoft Documentation for end users, developers, and IT professionals

Ready to submit your next vulnerability report? Submit it today via our MSRC Researcher Portal aka.ms/secure-at.

Sylvie Liu, Security Program Manager, Microsoft Security Response Center