Dylan, who is only 13 years old, is the youngest security researcher to work with the Microsoft Security Response Center (MSRC), marking a significant turning point in the cybersecurity field and demonstrating the value of young technical expertise and interest.
His journey began like many digital natives with Scratch, a visual coding platform designed for beginners. However, for Dylan, this was merely an entry point.
By the 5th grade, his technical exploration had advanced to analyzing source code for educational software, refining not just his programming but also his understanding of system vulnerabilities.
Discovery of a Major Vulnerability
Dylan’s inquisitiveness deepened during the COVID-19 pandemic, when school-imposed restrictions prompted him to seek technical solutions that maintained student connectivity.
His workaround for enabling Teams meetings, originally disabled by his school, emerged not from rule-breaking intent, but a genuine desire to assist classmates during social isolation.
This early tinkering gave rise to a more formalized interest in cybersecurity, culminating in his discovery of a critical vulnerability in Microsoft Teams one that permitted takeover of any group.
After nine months of rigorous self-study and experimentation, Dylan responsibly disclosed his findings to MSRC.
His report not only highlighted the exploit, but also helped Microsoft adapt its bug bounty participation rules to include researchers as young as 13, an unprecedented move that opened doors for a new generation of talent.
Impactful Collaboration and Recognition
Dylan’s collaboration with MSRC quickly established him as more than a precocious coder.
He’s recognized for his ability to articulate technical details clearly and engage in constructive debate, particularly when initial assessments differ from his own.
One significant case involved a vulnerability in the Authenticator Broker service, initially considered out-of-scope.
Dylan’s technical reasoning and clear communication prompted Microsoft not only to acknowledge the issue but also to expand its bug bounty scope moving forward a direct testament to the impact of his advocacy.
His technical output has been prolific, with 20 vulnerability reports filed in a single summer far exceeding his earlier pace.
His achievements have earned him repeated listings in MSRC’s Most Valuable Researcher (MVR) program for 2022 and 2024, and he recently secured 3rd place at Microsoft’s highly competitive Zero Day Quest hacking event in Redmond, Washington.
According to the Report, Dylan’s journey has not been without obstacles. He has navigated misunderstood reports, the complex world of responsible disclosure, and personal health challenges, including the loss of his voice and subsequent surgeries during the pandemic.
Through it all, family support has been instrumental, helping him stay focused and resilient.
Now a high school junior, Dylan balances challenging academics with extracurriculars such as Science Olympiad, math competitions, swimming, biking, and playing the cello.
Despite his growing list of accolades, he views security research as a passion rather than just a career path.
Looking ahead, he aspires to attend industry conferences, further his skills, and give back to both the cybersecurity and broader tech communities.
Dylan’s story illustrates that age need not be a barrier in cybersecurity. His creativity, persistence, and commitment to ethical research have not only advanced Microsoft’s defenses but also set a benchmark for young researchers globally.
As the digital threat landscape continues to evolve, prodigious talents like Dylan demonstrate the critical role that fresh perspectives and relentless curiosity play in the ongoing effort to secure technology for everyone.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
