The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers by discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s 100 Most Valuable Researchers (MVRs), based on the total number of points earned for each valid report. Please join us in celebrating this year’s MVRs, including our top 10: 1. 🥇 VictorV 2. 🥈 wkai 3. 🥉 Suresh Chelladurai 4. Anonymous 5. Adnan 6. Dhiral Patel (@dhiralpatel94) 7. Nan Wang(@eternalsakura13) and Ziling Chen 8. Anonymous 9. 0x140ce 10. Azure Yang See the full list of this year’s 100 MVRs, in addition to our Azure, Office, Windows, and Dynamics 365 leaderboards: https://lnkd.in/g6hnzpSC #bugbounty
Microsoft Security Response Center
Computer and Network Security
Protecting customers and Microsoft from current and emerging threats related to security and privacy.
About us
The Microsoft Security Response Center (MSRC) is dedicated to safeguarding customers and Microsoft from security threats. With over two decades of experience, we focus on prevention, rapid defense, and community trust. Together, we’ll continue to protect our users and the broader ecosystem.
- Website
-
https://www.microsoft.com/en-us/msrc
External link for Microsoft Security Response Center
- Industry
- Computer and Network Security
- Company size
- 10,001+ employees
- Specialties
- Cybersecurity, Security response, Incident response, Bug bounty, Security research, and BlueHat
Updates
-
Ashish Dhone, security researcher and Microsoft MVR, presented a BlueHat India session on one of the most elusive web security threats: Blind XSS. In his talk, “Breaking into Big Tech: The $50,000+ Blind XSS Bug Hunt,” Ashish walked through: ⚬ Advanced detection and exploitation techniques ⚬ Real-world case studies ⚬ Strategies for chaining vulnerabilities to escalate impact ⚬ Practical tips for researchers to improve bug bounty outcomes This session offered learnings for defenders and researchers alike, highlighting how seemingly low-visibility bugs can lead to high-impact security findings. Read the deck and watch the session on YouTube: https://lnkd.in/dvBvGj-i #BlueHatIndia
-
Congratulations to all the researchers recognized in this quarter’s MSRC 2025 Q2 Security Researcher Leaderboard! Thanks to all the researchers who partnered with us for your hard work and continued dedication to securing our customers. Learn more in our blog post: Congratulations to the top MSRC 2025 Q2 security researchers! https://lnkd.in/gY3yDGsZ We also want to recognize the top 10 researchers in the leaderboard: 🥇wkai 🥈Brad Schlintz 🥉0x140ce 🥉 Zhiniang Peng with HUST & R4nger with CyberKunLun 5. VictorV 6. k0shl 7. wh1tc@Kunlun lab & devoke & Zhiniang Peng with HUST 8. Jongseong Kim, SEC-agent team 9. Anonymous 10. Haifei Li 10. Nick Wojciechowski
-
-
Security updates for July 2025 are now available! Details are here: https://msft.it/6018SZEg0 #PatchTuesday #SecurityUpdateGuide
-
-
At just 13 years old, Dylan Ryan-Zilavy became the youngest security researcher to collaborate with MSRC. What started with Scratch and HTML quickly evolved into submitting impactful vulnerability reports, respectfully challenging scope decisions, and even helping shape MSRC’s bug bounty policies. Today, Dylan is not only one of our youngest collaborators, but also one of our most thoughtful, balancing high school with cello, science competitions, and security research. In April, he placed 3rd at Microsoft’s Zero Day Quest, competing alongside seasoned security researchers. Read more about Dylan’s path, challenges, and achievements on the MSRC blog: https://lnkd.in/gqHdVmDW #bugbounty
-
-
From MS-DOS to Copilot, we’ve come a long way. This year, in honor of Microsoft’s 50th anniversary, MSRC is throwing it back (way back) with a "Microsoft Through the Decades" security researcher celebration during Black Hat. 🗓 August 7, 2025 📍Skyfall Lounge, W Las Vegas This invite-only event brings together members of the security community who’ve helped protect Microsoft across generations of tech. Apply to attend: https://lnkd.in/gUp4qbY4 #MSFTBlackHat #BHUSA
-
-
File system redirection has long been a tool for attackers seeking privilege escalation. RedirectionGuard, a new Windows mitigation, is designed to block malicious junction-based redirection by default, strengthening system security. Key Features of RedirectionGuard: • Blocks junction traversal only when followed by an opted-in process and when created by a non-admin user. • Stores privilege metadata in an admin-only alternate data stream to verify junction trustworthiness. • Already enabled in Windows Insider builds for User Profile Service, AppX Deployment Service, and Installer Service, historically among the most vulnerable components. Learn more in our new blog by Michael Macelletti, Senior Security Researcher, Microsoft: https://lnkd.in/gAj3xMnV Many thanks to Georgios Baltas and James Forshaw for their contributions.
-
-
At BlueHat India 2025, George Hughey, Senior Security Research Manager at Microsoft, walked through how MSRC turns competition exploits into long-term security wins through variant hunting. By analyzing every submitted exploit, MSRC has uncovered entire classes of vulnerabilities, from unchecked structure sizes to double fetches in the Windows kernel. One example: CVE-2024-26239 exposed an unchecked field in the RAS_ADVCONNECTIONPARAMS structure. MSRC researchers found that similar patterns existed in at least eight other CVEs, thanks to this kind of analysis. George’s takeaway: Don't stop at one bug. Look for patterns. Dig into how and where the same mistake might resurface and automate that search wherever possible. Review the deck below and watch the full session on YouTube: https://lnkd.in/d2Ae8Cvr #BlueHatIndia
-
As part of the Secure Future Initiative, Sherrod DeGrippo, Director of Threat Intelligence at Microsoft, led a half-day workshop for the Microsoft developer community on threat-driven software development. The session challenged participants to shift their perspective, from writing code to understanding how nation-state and criminal threat actors think, operate, and target systems. “Developers are on the front lines of our Secure Future Initiative,” Sherrod explained. “This workshop was about empowering them to think like threat analysts—seeing adversaries not as abstract risks, but as real people with real tactics. That mindset changes how we build everything.” Workshops like this bring engineering and threat intelligence together to help developers design more secure software from the start. One of the topics covered was Microsoft’s threat actor naming framework, which helps teams better understand the motivations and origins behind different threat groups and communicate about them clearly and consistently across teams: https://lnkd.in/dj_sTYyu #SFI
-
-
At BlueHat India 2025, Ram Shankar Siva Kumar, Data Cowboy and Head of the AI Red Team at Microsoft, delivered a keynote breaking down the future of red teaming in the era of generative AI. As GenAI systems grow more complex and autonomous, Microsoft’s AI Red Team is redefining how we assess AI risk, combining adversarial machine learning, traditional security testing, and responsible AI practices to uncover new classes of harm: ➤ Security failures: Classic issues like prompt injection and SSRF still persist ➤ Content safety harms: Bias, misinformation, and offensive content ➤ Dangerous capabilities: Persuasion, deception, and misuse of powerful models ➤ Psycho-social harms: Poor responses in therapeutic or sensitive contexts ➤ AI agents: New failure modes across decision-making loops Ram also introduced open-source tooling like PyRIT and Microsoft’s integrated AI Red Team Agent to help the community red team GenAI systems at scale. One key message: Red teaming AI isn’t just a security task. It requires a diverse set of disciplines, from ML and security to ethics, policy, and human behavior. Review the deck below and watch the full session on YouTube: https://lnkd.in/dfFh9B7j #BlueHatIndia