Microsoft’s Youngest Security Researcher: Dylan, 13, Uncovers Teams Flaw & Prompts Bug Bounty Rule Change
Ddos 
Microsoft recently published a blog post highlighting its youngest security researcher to date—an individual who began collaborating with the company at the age of 13, submitting vulnerability reports and earning bug bounties awarded by Microsoft.
Interestingly, the original terms of Microsoft’s Bug Bounty Program did not permit participation by minors. However, in order to accept his findings, issue a bounty reward, and foster continued collaboration, Microsoft amended the program’s rules to allow participation by individuals as young as 13. This young researcher, named Dylan, was the sole impetus for this age-related policy revision.
In 2019, Dylan discovered a vulnerability in Microsoft Teams that allowed an attacker to hijack any group within the platform. Rather than exploiting the flaw maliciously, Dylan responsibly disclosed it to the Microsoft Security Response Center (MSRC).
Upon verifying the vulnerability, Microsoft revised its bounty program terms to accommodate young researchers and officially accepted Dylan’s submission—the first ever from a participant of that age—marking his debut as the youngest collaborator in MSRC’s history.
Now a high school senior, Dylan has already submitted 20 vulnerability reports as of last year. In April of this year, he also secured third place in Microsoft’s Zero Day Quest hacking challenge, earning high praise from the company.
Despite his achievements, Dylan continues to balance his studies, daily life, and other personal interests. He currently regards cybersecurity as an enriching hobby, though he expresses a strong desire to pursue it professionally. What excites him most, however, is the prospect of eventually attending security conferences—where he hopes to meet fellow researchers and learn from their experience.
Donate