This is the Trace Id: 7a4f7ac028514f2232167b0cdd1d56b1
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

The Making of the Top 100 Researcher List

MSRC
/ By MSRC /

At Black Hat USA each year, we unveil the Top 100 Security Researcher list to reflect the amazing engagement we get from the community. During this period, we had several thousand researchers engage with the Microsoft Security Response Center (MSRC). We appreciate all the partnership and coordination that goes on throughout the year. The Top 100 list gives us a chance to give a special shout out to some of the most productive researchers in the year. As we get closer to the reveal, a common theme in questions around the unveiling is, “how do I get my name up there?” This year we will give you an insider view into the making of the Top 100 list.

To produce the list, we first start with all cases fixed between July 1, 2017, and June 30, 2018. We take this first slice to reflect the cases that were addressed. Reports that end up being fixed later will get counted in the following year’s tally. We then sort by acknowledgements to determine the researcher and extrapolate from those reporting through third parties, like ZDI or iDefense. Now enters the math. Not all vulnerabilities are the same. We weigh the list based off security impact and then assigned severity. We do this to focus and recognize research that has larger impact on customers. Security impact is differentiated on a scale of 1-20 and severity is scored 1-3. Finally, we adjust to acknowledge the research in the Mitigation Bounty and Bounty for Defense that typically have lower security impacts, but broaden defenses for all customers. Then it is just a matter of drawing the line at 100. Researchers with the same weighted score are given the same listing on the chart. We cut the number as close to 100 as possible, accounting for ties.

The list is final and will be unveiled at Black Hat USA the morning of Wednesday, August, 8th. We will also post the results in our blog and at the Microsoft Community Party during Black Hat. Thank you to all our researchers for the hard work and partnership you have had with us throughout the year. We look forward to working with you more in the year to come.

Phillip Misner Principal Security Group Manager

Microsoft Security Response Center

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads