Rising Star: Meet Dylan, Microsoft’s Youngest Security Researcher & Bug Bounty Rule Changer at 13
The world of cybersecurity is typically dominated by seasoned professionals with years of experience. Yet, on occasion, the most unexpected discoveries emerge from those who haven’t even reached adulthood.
Dylan became the youngest security researcher ever recognized by the Microsoft Security Response Center. At just 13, he not only uncovered a critical vulnerability within enterprise systems, but also prompted the tech giant to revise the rules of its bug bounty program.
His fascination with technology began with Scratch, a programming language designed for children to build simple games and animations. For Dylan, however, it was merely the prologue to a much grander journey. He quickly mastered HTML and various programming languages, and by fifth grade, was already analyzing the source code of educational platforms.
A school incident—where he attempted to bypass an academic platform to access games without completing assignments—resulted in disciplinary trouble but ignited a deep curiosity about how systems function. That curiosity only deepened during the COVID-19 pandemic, when the school disabled students’ ability to schedule meetings in Teams. Dylan discovered a workaround through Outlook. His intent was noble: to help his classmates stay connected during a time of isolation. It was the first glimpse of a future problem-solver.
When student chats were later disabled in Teams, Dylan didn’t give up. Instead, he got creative. Nine months of self-study, experimentation, and relentless testing led to the discovery of a vulnerability that allowed him to seize control of any Teams group. This marked his first formal foray into responsible disclosure.
Microsoft’s response was remarkable. The Bug Bounty team amended its participation guidelines, lowering the minimum age to 13 specifically to accommodate cases like Dylan’s. Since then, he has worked closely with MSRC, consistently demonstrating technical acumen and a level of professionalism far beyond his years.
Equally impressive are his communication skills. Dylan respectfully challenges MSRC’s initial assessments when he disagrees, always eager to understand alternative perspectives while articulating his own with clarity. This thoughtful approach has earned him respect and helped secure impactful outcomes.
A striking example came with a vulnerability in the Authenticator Broker service, initially deemed outside the program’s scope. Through constructive dialogue, Dylan guided the team to recognize the broader implications of the issue. The result exceeded expectations: Microsoft acknowledged the flaw and expanded the scope of the program to accommodate future reports.
His journey hasn’t been without hardship. Dylan faced misinterpretations of his findings and endured setbacks, but unwavering support from his family—especially his parents and grandparents—helped him remain composed and focused. During the pandemic, he lost his voice due to a health condition and underwent two surgeries, experiences that only strengthened his resolve.
Now a high school student, Dylan balances his studies with participation in science Olympiads, math competitions, swimming, cycling, and playing the cello. Last summer alone, he submitted 20 vulnerability reports—a dramatic increase from the six he’d submitted previously. He was named among MSRC’s Most Valuable Researchers in both 2022 and 2024, and in April 2025, he secured third place at Zero Day Quest, a prestigious hacking competition held at Microsoft’s headquarters.