Rising star: Meet Dylan, MSRC’s youngest security researcher

At just 13 years old, Dylan became the youngest security researcher to collaborate with the Microsoft Security Response Center (MSRC). His journey into cybersecurity is inspiring—rooted in curiosity, resilience, and a deep desire to make a difference.

Early beginnings: From scratch to security

Dylan’s fascination with technology began early. Like many kids, he started with Scratch—a visual programming language for making simple games and animations. But for Dylan, Scratch was more than a toy; it was the start of a much bigger journey. He quickly moved on to HTML and other languages, and by 5th grade, he was analyzing source code behind educational platforms. One experiment—unlocking games before completing the lessons—landed him in a bit of trouble but also sparked a growing interest in how systems work.

That curiosity only deepened during the COVID-19 pandemic. When his school disabled student access to create Teams meetings, Dylan found a workaround using Outlook. It wasn’t about bypassing rules—it was about helping classmates stay connected in a time of isolation. It was a glimpse of the problem-solver he was becoming.

Dylan’s first vulnerability

When his school later disabled student-created Teams chats, Dylan didn’t give up—he got creative. What began as a quest to restore communication options became his introduction to security research. After 9 months of self-teaching, exploration, and trial and error, he discovered a vulnerability that let him take over any Teams group. That breakthrough marked his entry into the world of responsible disclosure—and kicked off his relationship with MSRC.

Soon after, Dylan submitted his first official vulnerability report to Microsoft. In response, the Bug Bounty team updated its program terms to allow participation from researchers as young as 13. Since then, Dylan has worked closely with MSRC, demonstrating technical insight and professionalism well beyond his age.

Collaborating with MSRC

Dylan’s communication skills are as impressive as his technical ones. He’s known for respectfully pushing back when he disagrees with MSRC’s initial assessments—always aiming to understand their perspective and articulate his own clearly. This thoughtful approach has earned him respect and helped drive meaningful results.

One notable example: Dylan submitted a vulnerability in the Authenticator Broker service that was initially considered out of scope. Through clear, constructive dialogue, he helped MSRC understand its broader implications. The result? Not only was the issue acknowledged, but the bounty program also expanded its scope to include it for future submissions—a testament to Dylan’s impact.

Challenges and triumphs

Despite his achievements, Dylan’s path hasn’t been easy. He’s faced misunderstood reports and setbacks, but credits his family—especially his mother, father, stepparents, and grandparents—for helping him stay grounded, patient, and professional.

His journey hasn’t just been technical. During the pandemic, Dylan also lost his voice due to a health issue and underwent two surgeries to recover it. The experience only strengthened his resolve and resilience.

What’s next for Dylan?

Now a junior in high school, Dylan balances schoolwork with extracurriculars like Science Olympiad, math competitions, swimming, biking, and cello. He filed 20 vulnerability reports last summer alone—up from just six total beforehand.

He’s been named to MSRC’s Most Valuable Researcher list for both 2022 and 2024. In April 2025, Dylan competed at Microsoft’s Zero Day Quest—a premier onsite hacking event in Redmond, Washington—and took home 3rd place, an incredible achievement that placed him among the top researchers globally.

Despite a busy academic schedule, Dylan continues to see security research as a rewarding hobby. He’s passionate about learning, exploring new vulnerabilities, and giving back to the community. Long-term, he’s open to a range of possibilities, including continued work in cybersecurity, science, or civics.

Dylan also dreams of attending security conferences as soon as he’s old enough, eager to meet fellow researchers and learn from the best. For other young researchers, his story is proof that age is no barrier—what matters most is creativity, persistence, and a willingness to learn.