Headline
Recognizing Security Researchers in 2020
Is it too early to talk about the 2020 MSRC Most Valuable Security Researchers? Five months from now, at the end of June, the program period closes for researchers to be considered for inclusion in the Most Valuable Researchers list. The top researcher list will be revealed at Black Hat North America in August.
Is it too early to talk about the 2020 MSRC Most Valuable Security Researchers? Five months from now, at the end of June, the program period closes for researchers to be considered for inclusion in the Most Valuable Researchers list. The top researcher list will be revealed at Black Hat North America in August.
For now, we want to explain who will get recognized as a MSRC Most Valuable Security Researcher for 2020, introduce the new MSRC Contributor tier in our researcher recognition program, and share some tips that can help you get into our top researcher tiers.
2020 Most Valuable Security Researcher 2020 Most Valuable Security Researcher
How do I get in?
Similar to last year, we take report volume, accuracy and impact into consideration. Here are the two paths to get into this top tier for reporting over the program period:
Path One: Contribution-based (recognizes a larger body of work)
- Volume: you reported at least five valid vulnerabilities during the evaluation period
- Accuracy: at least 50% of your reports are valid (your accuracy score)
- Impact: the average points of your valid vulnerability reports put you at or above the 50th percentile for report impact
Path Two: Impact-based (recognizes a smaller body of higher-impact work)
- Volume : You reported at least three valid vulnerabilities during the evaluation period
- Accuracy: at least 50% of your reports are valid (your accuracy score)
- Impact : the average points of your valid vulnerability reports put you at or above the 90th percentile for report impact
What do I get?
If you are identified as a 2020 MSRC Most Valuable Security Researcher, you’re eligible for benefits, including but not limited to:
- Annual recognition on the MSRC’s Most Valuable Security Researcher list
- Special SWAG box for Most Valuable Researchers
- Access to Microsoft products and services for research purposes
- Access to invitation-only MSRC events
- Invitation to private MSRC programs
How about the ranking?
Either the contribution-based or impact-based model can get you into the top tier. Once you’re in, your rank within that tier will depend on the total number of points you’ve received.
2020 MSRC Contributor 2020 MSRC Contributor
How do I get in?
MSRC Contributor is the next tier in our researcher recognition program. The criteria for getting into this tier are:
- Volume : you reported at least three valid vulnerabilities during the evaluation period
- Accuracy : at least 50% of your reports are valid (your accuracy score)
- Impact: the average points of your valid vulnerability reports put you at or above the 50th percentile for report impact
What do I get?
If you are identified as a 2020 MSRC Contributor, you’re eligible for, including but not limited to:
- Special SWAG box for MSRC Contributors
- Access to invitation-only MSRC events
When do I need to report by to be considered? When do I need to report by to be considered?
The program period for the 2020 Most Valuable Security Researcher and MSRC Contributor includes cases that fall into either of these categories:
- Reported and assessed by the MSRC team between July 1, 2019 and June 30, 2020
- Submitted between July 1, 2018 and June 30, 2019 (last program period), but assessed after July 1, 2019
What’s next? What’s next?
We are five months away until the end of the program period. Here are some tips to help you get into the top tier:
Research in certain areas (e.g. Azure and Identity) can help you earn additional research multipliers. Check out our MSRC Recognition Program page showing you where you can find additional multipliers to improve your standings.
Focus your reach on critical and high impact vulnerabilities to get higher base points. Here are some useful readings:
Security Update Severity Rating System
Directory of Azure Services
Example of High Quality Reports
Microsoft Security Servicing Criteria for Windows
Microsoft Documentation for end users, developers, and IT professionals
Microsoft Security Research & Defense Blog
HackerOne’s Hacker101 training
Bugcrowd University
Ready to submit your next vulnerability report? Submit it today via our researcher portal aka.ms/secure-at.
Sylvie Liu, Security Program Manager, Microsoft Security Response Center