Dylan, 13, has accomplished a remarkable achievement by becoming the youngest security researcher to work with the Microsoft Security Response Center (MSRC), leaving his mark on the history of cybersecurity.
His journey from tinkering with Scratch, a visual programming language for creating games, to identifying critical vulnerabilities in Microsoft products showcases a rare blend of curiosity, technical acumen, and determination.
Dylan’s early experiments with coding began as playful explorations, but by the 5th grade, he was diving into the source code of educational platforms, uncovering ways to bypass restrictions.
Though one such experiment unlocking games without completing lessons earned him a reprimand, it ignited a lifelong passion for understanding system architectures.
During the COVID-19 pandemic, when his school restricted Microsoft Teams functionalities, Dylan engineered workarounds using Outlook to help classmates stay connected, demonstrating not just technical skill but also a knack for problem-solving with a purpose.
Discovering Vulnerabilities
Dylan’s foray into formal security research began with a nine-month self-taught journey of experimentation, culminating in the discovery of a significant vulnerability in Microsoft Teams that allowed him to gain unauthorized control over group chats.
This finding marked his introduction to responsible disclosure and initiated a fruitful partnership with MSRC.
His first vulnerability report to Microsoft was a turning point; in response, the Bug Bounty program revised its terms to include researchers as young as 13, paving the way for prodigies like Dylan.
Since then, he has submitted numerous reports, including a notable issue with the Authenticator Broker service.
Initially deemed out of scope by MSRC, Dylan’s articulate and respectful dialogue highlighted the vulnerability’s broader implications, ultimately leading to its acknowledgment and an expansion of the program’s scope for future submissions.
His ability to engage constructively with seasoned professionals underscores a maturity far beyond his years, earning him a spot on MSRC’s Most Valuable Researcher list for 2022 and 2024.
Most recently, in April 2025, Dylan secured 3rd place at Microsoft’s Zero Day Quest, a prestigious onsite hacking event in Redmond, Washington, competing against top global researchers.
Overcoming Challenges
Despite his remarkable achievements, Dylan’s path has been fraught with challenges, from misunderstood vulnerability reports to personal health struggles during the pandemic, including two surgeries to recover his voice.
Supported by a steadfast family, he has remained grounded and resilient, balancing a rigorous high school schedule with extracurriculars like Science Olympiad, math competitions, and hobbies such as swimming and playing the cello.
Last summer, he filed an impressive 20 vulnerability reports, a sharp rise from just six previously, signaling his growing expertise.
Looking ahead, Dylan views security research as a rewarding passion rather than a career endpoint, remaining open to future paths in cybersecurity, science, or civics.
Eager to connect with the broader community, he dreams of attending security conferences once eligible, hoping to learn from and collaborate with the industry’s best.
Dylan’s story is a powerful testament to how creativity, persistence, and a willingness to learn can shatter age barriers, inspiring a new generation of young researchers to dive into the ever-evolving world of cybersecurity with boldness and purpose.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
