How Brad Schlintz built a life of freedom and impact

At Microsoft Security Response Center (MSRC), we celebrate the diverse paths that bring researchers to our community. Brad Schlintz’s story is one of curiosity, resilience, and a relentless drive to learn, spanning rural beginnings, career pivots, and a life shaped by both technology and travel. In this blog post, we share Brad’s journeys, highlighting the experiences and insights that have made him a top contributor to Microsoft’s bug bounty program (ranked as the #5 Microsoft MVR for 2025), a qualifier for both Zero Day Quest 2025 and Zero Day Quest 2026, and a respected member of the security research community.

Brad’s fascination with technology began in a small Midwestern town surrounded by dairy cows and never-ending corn fields. As a child he was always curious, tearing apart electronics to see how they worked and building computers from spare parts. His first real taste of computing came in seventh grade when he discovered RuneScape. He later convinced his parents to get a second dial-up connection so he could automate his gameplay around the clock. “I had five or six bots running all day and night,” Brad recalls. “Eventually I got banned, which was deserved, but it was a lot of fun and cemented my interest in computers.” This laid the foundation for a future in technology, though at the time, Brad imagined himself as a game designer, not a security researcher.

When it came time for college, Brad chose a tech school close to home and earned a bachelor’s degree in computer science. “I got a degree, but was thrown a curveball during my internship with a defense contractor,” Brad admits. He was handed a massive SharePoint Server 2007 manual and told, “You’re going to be a SharePoint developer.” What followed was more than a decade working with SharePoint, first in corporate roles, then consulting, and eventually joining Microsoft as a field engineer. “It was pure dumb luck that I ended up in SharePoint, but it set the course for the next 12 years,” Brad says. Throughout this period, he dabbled with Linux and studied the Red Team Field Manual, but cybersecurity remained a side interest. Even when he applied to MSRC, he was turned down for lacking a security background. 

Brad’s journey took a dramatic turn when he decided to leave traditional employment and embark on a year-long mini retirement with his wife. “I always dreamed of quitting my job and traveling,” he says. “Towards the end of that first year, I knew I didn’t want to go back to a 9-to-5.” That’s when Brad discovered bug bounty programs, a way to combine his love of technology with the freedom to travel.

The transition wasn’t easy. Brad spent nights learning about bug bounty, reading blog articles, watching YouTube videos, and experimenting with new techniques. His first bug bounty win, a $2,500 payout from a program on HackerOne for a vulnerability in their employee portal, came about a month after he started. The bug was straightforward, a simple OAuth open redirect, but it was the first money he made from security research and a huge confidence boost.

The next few months were a whirlwind of experimentation. Brad tried out more than 10 different programs across platforms like HackerOne and Bugcrowd. “I didn’t know much about security,” he admits. “I had a developer’s mind and knew how to build software but figuring out security impact was a struggle.” In the early days, Brad spent 50% of his time bug hunting and the other 50% learning new vulnerability classes and attack vectors. Since Brad already had a strong background in web development, it made the most sense to begin with bug classes like XSS, CSRF, and SSRF. Similar to his childhood, he began tearing apart and reverse engineering web applications that he was already accustomed to building. Leveraging his background in software engineering enabled him to quickly master the fundamentals and develop novel exploits.

After five or six months, Brad felt ready to tackle Microsoft’s bug bounty program. At first, he avoided Microsoft because he thought it was too intimidating. As it turned out, Microsoft was an ideal partnership. Within two months, Brad had reported a dozen cases, drawing on his deep familiarity with SharePoint, OneDrive, and Office. His expertise allowed him to uncover vulnerabilities others missed and he quickly became a top contributor to the program. Brad’s approach was methodical. He preferred to focus primarily in one area at a time, exhausting the attack surface before moving on. “I didn’t bounce back and forth too much,” he says. “Once I started with Microsoft, I stayed in the ecosystem. It allowed me to continuously build knowledge and dive deeper into the platform.” Over time, Brad expanded his focus to PowerApps and Dynamics, working closely with MSRC engineers to address vulnerabilities and improve the program. 

Among Brad’s proudest accomplishments is a critical cross-tenant bug in Dynamics, which earned a CVE. “It was possible to get an access token for any tenant just by knowing the tenant name or ID,” Brad explains. “That token could be used for full read/write access to Azure storage accounts. It was a very impactful bug.” The discovery was a turning point, validating Brad’s expertise and earning recognition within the security community.

Other highlights include earning a DEF CON black badge, participating in the Blue Hat podcast, and connecting with researchers and MSRC engineers at events like Zero Day Quest. “It’s been a life-changing year and I’m incredibly grateful,” Brad says. “I could never have imagined so many awesome things happening in such a short time. It feels like I’m on a rocket ship!” 

For Brad, the most rewarding aspect of bug bounty is the human connection. One of his favorite experiences was meeting people at Zero Day Quest, hosted on the Microsoft campus in April 2025. He was able to put names to faces, connect with other researchers, and talk through bugs with MSRC engineers. Brad values the collaborative spirit of the community, sharing feedback to improve the program, and supporting others in their pursuits. Discord has also played a big role in his journey allowing him to chat with fellow responsible researchers around the world.

Brad’s life is a blend of cyber wizardry and off-the-beaten-path adventure. He and his wife alternate between “fast travel” and “slow travel” to avoid burnout and keep a sustainable pace. “Slow travel is for part-time work and relaxation, while fast travel is similar to a traditional vacation with busy days full of fun activities,” Brad explains. “The biggest perk of being an independent bug bounty hunter is the freedom to choose any location, time zone, or day to hack.” Outside of bug hunting, Brad enjoys scuba diving, hiking, birdwatching, and trying new cuisines. He often watches conference talks and listens to security podcasts to stay current. 

As Brad looks to the future, he hopes to further refine his skillset and explore more of Microsoft’s bug bounty programs. “There’s no upper limit to what you can earn, plus it’s super challenging and always changing,” he says. “For where we’re at in life, it’s the perfect fit.”

Brad and his wife are planning another year-long trip, continuing Brad’s journey of security research and their shared exploration of new places and experiences. They’re also considering buying a home to have a proper base to launch bucket list travels. For Brad, designing a life that balances purpose, freedom, and growth is what it’s all about. “I spent a lot of time dreaming about what I wanted my life to be like,” he says. “Breaking away from the stability of corporate was a scary leap of faith and I had no idea how it would unfold. Looking back, it was one of the best decisions I ever made because it gave us the chance to create a one-of-a-kind life.”

Brad’s story highlights the power of curiosity, resilience, and community. From rural beginnings to global impact, he’s shown that there’s no single path to success in security research. By embracing learning, collaboration, and adventure, Brad continues to inspire others, reminding us that the journey matters as much as the destination.