Microsoft’s Most Dangerous Enemy Wears a School Uniform and Plays the Cello
Third Place at Zero Day Quest: Who is Dylan?
Third Place at Zero Day Quest: Who is Dylan?
In the world of cybersecurity, adults with years of experience usually dominate. But sometimes, the most unexpected discoveries come from those who haven’t even turned 18 yet.
Dylan became the youngest-ever security researcher in the history of the Microsoft Security Response Center. At just 13 years old, he not only discovered a critical vulnerability in corporate systems but also prompted the tech giant to revise the rules of its bug bounty program.
His passion for technology began with Scratch, a visual programming language for creating simple games and animations. But for Dylan, this was only the starting point of a much larger journey. He soon mastered HTML and various programming languages, and by fifth grade, he was already analyzing the source code of educational platforms.
An attempt to bypass an educational program to access games without completing assignments got him into trouble at school — but it also sparked his curiosity about how systems work. This curiosity deepened during the COVID-19 pandemic when the school disabled students' ability to create meetings in Teams. Dylan found a workaround via Outlook. His goal was noble: to help classmates stay connected during isolation. This marked the first glimpse of a future problem-solver.
When the school blocked student chats in Teams as well, Dylan didn’t give up. Instead, he got creative. After nine months of self-study, experimentation, and trial-and-error, he discovered a vulnerability that allowed him to take control of any Teams group. This breakthrough became his gateway into the world of responsible disclosure.
Microsoft responded in an unexpected way. The Bug Bounty team updated its program rules, lowering the minimum participant age to 13 — just for cases like Dylan’s. Since then, he has worked closely with MSRC, showing technical knowledge and professionalism far beyond his years.
Dylan's communication skills are as impressive as his technical abilities. He knows how to respectfully stand his ground when disagreeing with MSRC's initial assessments, always aiming to understand the other side while clearly presenting his own perspective. This approach earned him respect and helped him achieve significant results.
A telling example: a vulnerability in the Authenticator Broker service was initially deemed out-of-scope. Through constructive dialogue, Dylan helped the team recognize the broader impact of the issue. The result exceeded expectations — Microsoft not only acknowledged the problem but also expanded the program’s scope for future reports.
The journey hasn’t been easy. Dylan faced misunderstood reports and setbacks, but support from his family — especially his parents and grandparents — helped him stay calm and professional. During the pandemic, he lost his voice due to health issues and underwent two surgeries, which only strengthened his resolve.
Today, Dylan is a high school student balancing academics with participation in science olympiads, math competitions, swimming, cycling, and playing the cello. Last summer, he submitted 20 vulnerability reports — a sharp increase from his previous total of six. He was named one of MSRC’s Most Valuable Researchers in both 2022 and 2024, and in April 2025, he placed third at the prestigious Zero Day Quest hacking competition at Microsoft’s headquarters.
