Na3Niel | Substack | May 2026

May 12, 2026. Microsoft Patch Tuesday. Official zero-day count: 0.
Same day. A researcher dropped two.

I put mirrors in the room.
This is what I saw.

1. What Others Built

Google

In 2010, Google created a team of full-time vulnerability researchers inside the company.
Project Zero applies a 90-day rule to every vendor — including Google itself.
After 90 days, the report goes public. Patched or not.
In 2025, they added Reporting Transparency: the discovery date and the 90-day deadline are published before the patch exists.
The world knows the clock is running.
That year’s bug bounty total: $17.1 million.
The highest annual payout in HackerOne history.

Apple

Before 2020, Apple had no public bug bounty program.
The security research community noticed.
In 2020, Apple launched one.
From 2020 to 2025: $35 million paid, 800+ researchers credited.
In October 2025, they doubled the top reward from $1 million to $2 million.
They also added a $1,000 floor for low-impact reports from first-time submitters.
The reason Apple gave: “we want researchers to have an encouraging experience.”

Meta

Since 2011, Meta has guaranteed a minimum of $500 per report.
Not contingent on severity.
Not contingent on final assessment.
The researcher showed up.
The $500 ships.
2024 totals: $2.3 million paid, nearly 10,000 reports received.

OpenAI

April 2023: bug bounty program launched on Bugcrowd.
Standard ceiling $20,000, exceptional reports up to $100,000.
May 2026: Daybreak launched.
An AI-powered vulnerability detection tool — built on GPT-5.5-Cyber — handed directly to external researchers.
A tool to find problems with their own products, given to the people looking for problems.

Anthropic

August 2024: VDP launched.
2025: graduated to a public bug bounty on HackerOne.
One line from their policy, as written: “We fully support researchers’ right to publicly disclose vulnerabilities they discover.”

xAI

March 2, 2025.
An xAI developer committed an .env file — API keys included — to a public GitHub repository.
GitGuardian’s automated scanning system found it the same day and sent an alert to the commit author.
The key covered Grok’s unreleased and private models, a SpaceX-specific model, and a Tesla-specific model.
The alert was sent.
No action followed.

Two months later, an independent researcher named Philippe Caturegli found the same key still active and posted about it on LinkedIn, tagging GitGuardian. GitGuardian reinvestigated.
The key was still valid.
They then spent hours looking for a security contact to report to formally.
No security.txt file existed at xAI’s domain.
The HackerOne contact for X had been expired since January 2024 and left unrenewed. GitGuardian eventually found safety@x.ai and sent a coordinated disclosure on April 30.
xAI’s reply: “Please submit to HackerOne.” Hours later, the repository was deleted and the key revoked.
No update was sent to GitGuardian.
The disclosure process ended without acknowledgment.

The key had been sitting in a public repository for two months.
The first alert went unanswered.
The fix happened silently, out of bounds of the process that found the problem.

2. Microsoft’s Record

Secure Future Initiative — November 2, 2023

“Security above all else.” “Improving security across the industry.”

Zero Day Quest 2026 — April 2026

“Zero Day Quest remains a core part of Microsoft’s broader bug bounty program and our ongoing partnership with the security research community.” $2.3 million awarded.

The timeline with Chaotic Eclipse

April 2: BlueHammer published.
CVE-2026-33825 issued. Patched in April’s update.
Huntress Labs observed real-world exploitation beginning April 10.

April 16: RedSun published.
Huntress observed live exploitation — a threat actor using compromised FortiGate SSL VPN credentials from a Russian IP, running hands-on reconnaissance with whoami /priv and cmdkey /list. No CVE issued.
A patch was quietly mixed into an update before Patch Tuesday.
No announcement was made.

May 12, Patch Tuesday: Official zero-day count, 0.

May 12, same day: Chaotic Eclipse dropped YellowKey — a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025, exploitable by placing crafted FsTx files on a USB drive and rebooting into WinRE.
And GreenPlasma — a privilege escalation flaw allowing unprivileged users to create arbitrary memory-section objects in SYSTEM-writable directories.
The researcher noted the PoC was intentionally incomplete: “if you’re smart enough, you can turn this into a full privilege escalation.”

The researcher’s public note: “Microsoft silently patched the RedSun vulnerability.” And: “There will be a big surprise on June 9.”

Microsoft’s statement to BleepingComputer

“We are committed to investigating security issues and releasing updates to protect customers as quickly as possible.
We support coordinated vulnerability disclosure — a broadly adopted industry practice that ensures issues are carefully investigated and addressed before being publicly disclosed.”

3. Closing Note

The researcher didn’t ask for money.

Didn’t ask for credit.

Asked to be seen.

The mirror is there.

No one has to look.

＜Na3Niel’s TechTIPS /＞

[1] What a zero-day actually is — and why it’s called “zero”

A zero-day is a vulnerability for which no fix exists yet.
The name describes the window defenders have to respond after discovery: zero days.
For the attacker, it’s a free pass. For the defender, it’s a period where no countermeasure has been built.

An analogy.
A flaw is found in the front door lock of an apartment building.
Management knows.
They decide to wait for the next scheduled maintenance cycle.
Anyone who knows about the flaw walks straight in.
That waiting period is the zero-day window.

Now consider what happened here.
Microsoft fixed the lock.
They just didn’t tell anyone the lock had ever been broken.
The residents will never know their door was open.
Their sense of security rests entirely on not knowing.
That’s what a silent patch does.
The count stays at zero.
The flaw existed anyway.

[2] CVE — the official scoreboard, and what it doesn’t count

CVE stands for Common Vulnerabilities and Exposures.
It’s an international system that assigns unique IDs to vulnerabilities.
Most security tooling uses these numbers as the trigger for action.
No CVE, no alert.
No CVE, no flag in the patch management system.
No CVE, no signature update from your scanner.

The problem: issuing a CVE requires vendor cooperation.
If the vendor decides not to request one, the vulnerability has no official number.
It exists.
Researchers see it.
Attackers use it.
The tooling sees nothing.

RedSan had no CVE.
Huntress Labs observed it being used in real attacks — FortiGate credentials compromised, Russian IP, hands-on-keyboard operator running reconnaissance.
Microsoft’s Patch Tuesday listed zero zero-days.
Both statements were technically accurate.
They described different things.
The scoreboard showed a clean game.
The field told a different story.

[3] Bug bounty economics — why “thank you” is sometimes the whole payment

Bug bounty programs pay external researchers to find vulnerabilities.
The corporate logic is straightforward: motivated outsiders catch what internal teams miss.

What the economics often miss is the motivational structure on the researcher’s side.
Industry surveys, including HackerOne’s annual Hacker-Powered Security Report, consistently show that recognition — being credited, being seen — ranks alongside or above financial compensation as a driver for many researchers.

“Your discovery protected Windows users” — one sentence — carries real weight for a measurable portion of the community.

What Microsoft did with RedSan was remove that sentence from the equation entirely.
No CVE means no public record.
No public record means no name attached to the find.
The researcher did the work.
The work was used.
The official record says it didn’t happen.
Chaotic Eclipse had been through some version of that process before this campaign began.
The connection is not difficult to draw.

[4] “Developers, developers, developers” — on the distance between announcement and action

At a Microsoft conference in the early 2000s, something happened that the internet has not forgotten.
Then-CEO Steve Ballmer took the stage and chanted “Developers! Developers! Developers!” — jumping, sweating, filling the room without amplification.
The clip still circulates.
It has been remixed, slowed down, set to music, used as a reaction gif for two decades.
It endures because the energy was, by any measure, genuine.
Whatever else one might observe about the moment, the man believed what he was saying.

The chant was a declaration: Microsoft sees the developer community.
That commitment produced real artifacts — the GitHub acquisition at $7.5 billion, VSCode as open source, Secure Future Initiative in November 2023.
The announcements accumulated.
They were not nothing.

Announcements are not actions, though.
The action the security research community watches for is specific and simple: when someone finds something serious, you credit them publicly, you issue the CVE, and you pay the bounty.
That’s the checklist.
Ballmer’s decibel count does not appear on it.
The distance between what is said on stage and what happens in the MSRC triage queue is measurable.
The measurement is not performed by press releases.

[5] How to stop trusting the count — and what to do instead

Before accepting “0 zero-days” as meaningful information, one question is worth asking first: what exactly did this zero count?

CVE-based vulnerability management tools cannot detect what has no CVE number.
If your patch management workflow is designed around “act when a CVE is issued,” that workflow had a documented blind spot on May 12, 2026 — and the blind spot was being actively exploited in the wild at the time.
The count said zero.
The network traffic said something else.

Practical options exist.
Diffing binaries before and after patch application surfaces silent changes that ship without CVE documentation.
Subscribing to threat intelligence feeds — Huntress, GreyNoise, Recorded Future — gives you an observation layer that runs independently of the official numbering system.
These are not exotic solutions.
They exist specifically because the count has always had this property.

The count counts what it counts.
It was never designed to count the rest.
Knowing the difference is the job.

Na3Niel debugs systems.
Sometimes the bug is the founder.
One mirror.

Sources

CopyA note on sources.

The links below point to what I was reading when I wrote this.
I've described them as I understood them at the time.

Two things may be wrong:
the link may have changed, and my reading may have been off.

If you find a discrepancy between what I wrote
and what the source actually says —
that discrepancy is information.
File it somewhere.

1. Google Project Zero — Policy and Disclosure 2025 Edition
   https://googleprojectzero.blogspot.com/
   

2. Google VRP — Bug Hunters Platform
   https://bughunters.google.com/
   

3. Apple Security Bounty — Evolved
   https://security.apple.com/blog/apple-security-bounty-evolved/
   

4. Meta Bug Bounty 2024 in Review https://engineering.fb.com/2025/02/13/security/looking-back-at-our-bug-bounty-program-in-2024/
   

5. OpenAI Safety Bug Bounty
   https://openai.com/index/safety-bug-bounty/
   

6. Anthropic Responsible Disclosure Policy
   https://anthropic.com/responsible-disclosure-policy
   

7. GitGuardian Blog — xAI Secret Leak: The Story of a Disclosure https://blog.gitguardian.com/xai-secret-leak-disclosure/
   

8. Krebs on Security — xAI Dev Leaks API Key for Private SpaceX, Tesla LLMs https://krebsonsecurity.com/2025/05/xai-dev-leaks-api-key-for-private-spacex-tesla-llms/
   

9. Microsoft — Secure Future Initiative (November 2, 2023)
   https://microsoft.com/en-us/security/blog/2023/11/02/announcing-microsoft-secure-future-initiative
   

10. Microsoft MSRC — Zero Day Quest 2026
    https://microsoft.com/en-us/msrc/blog/2026/04/zero-day-quest-2026
    

11. Huntress — Nightmare-Eclipse Tooling Moves From Public PoC to Real-World Intrusion (April 20, 2026)
    https://www.huntress.com/blog/nightmare-eclipse-intrusion
    

12. BleepingComputer — Windows BitLocker zero-day gives access to protected drives, PoC released
    https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/
    

13. SecurityAffairs — Researchers uncover YellowKey and GreenPlasma Windows Zero-Days
    https://securityaffairs.com/192173/hacking/researchers-uncover-yellowkey-and-greenplasma-windows-zero-days.html
    

14. HackerOne — Hacker-Powered Security Report 2025, 9th Edition
    https://www.hackerone.com/report/hacker-powered-security
    

15. 0patch Blog — Microsoft Silently Patched CVE-2025-9491
    https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html

In July 2025, METR published a study.
16 experienced open-source developers.
246 real tasks.
Randomized controlled trial.

Before the experiment: developers expected AI to make them 24% faster.
After the experiment: developers felt 20% faster.
Actual measured time: 19% slower.

The researchers were surprised.
They had predicted a 2x speedup.
I was not surprised.
I was in the 19%.

The Framing Problem

There’s a framing problem in how this result gets reported.
Most coverage says: AI slows down experienced developers.
That’s accurate but incomplete.
The mechanism matters.

The developers who slowed down weren’t confused by the tools.
They weren’t technophobic.
They were slow for a specific reason: they could see what the AI was doing.

The Senior vs. Junior Developer Divide

A junior developer gets a function from the AI.
It compiles.
Tests pass.
Ship it.

A senior developer gets the same function.
It compiles.
Tests pass.
And then something fires — wait, why did it choose this pattern?
Does this hold when the input is malformed?
Is this the internal library or the stdlib version?
Did someone already write this three modules over?

The tool didn’t slow them down.
Their knowledge did.

Best Practice Code: Feature or Tax?

There’s a term for what the AI generates: best practice code.
Statistically aggregated best practice, pulled from the highest-rated answers in the training data.
Stack Overflow votes.
Starred repositories.
Canonical documentation examples.

This sounds like a feature.
For a certain kind of developer, it is.
For another kind, it’s a tax.

The Review Process Transformation

When the AI writes code you already know, review is fast.
You recognize it.
You verify it quickly.
You move on.

When the AI writes code that’s better than what you would have written — cleaner pattern, newer idiom, smarter abstraction — the review process changes.
Now you have to understand it before you can approve it.
You pull the reference.
You trace the reasoning.
You ask: is this actually better, or does it just look better?

The Inversion of Workload

By 2026, developers are spending 11.4 hours per week reviewing AI-generated code. 9.8 hours writing new code.

Reviewing outpaces writing.
That inversion has a name.
Nobody’s saying it out loud yet.

My Workflow and the New Standard

The way I work: I write the skeleton.
I hand the functions to the AI.

This should be the efficient version.
Architectural decisions stay with me.
Implementation details go to the machine.
Clean separation.

It works. And it costs more than I expected.

Because the AI doesn’t write functions the way I would write them.
It writes functions the way the best practitioners in its training data wrote them. Which means I’m now reviewing code that operates at a level above my current habits.

Responsibility is the Key Word

Which means the review isn’t just is this correct?
The review is why is this correct, and do I understand it well enough to take responsibility for it?

Responsibility is the word that matters.
If this code ships and fails at 2am, I’m the one on call.
The AI is not on call.
The AI does not have a phone.

So I read the reference.
I trace the pattern.
I understand it or I rewrite it.
Either way, the clock is running.

The Floor Has Been Raised

The AI didn’t make me slower.
It raised the floor.

There’s an old distinction in engineering: it works versus I understand why it works.

The alchemist and the scientist can both produce gold.
The alchemist puts materials in, gold comes out, transaction complete.
The scientist produces the same gold and immediately asks: what reaction is this, what are the boundary conditions, what breaks this at scale?

For most of history, these two types of people were in different rooms.
AI put them in the same room and gave them the same tool.

The alchemist is now faster than ever.
Materials in, product out, no friction.
The scientist is now doing two jobs.
Running the experiment and auditing the experiment’s assumptions simultaneously.

The 19% is the audit.

The Cost of Prevention (Security Audit)

In 2025, Veracode tested over 100 LLMs.
45% of AI-generated code contained OWASP Top 10 vulnerabilities.
JavaScript: 70%.
XSS defenses: 85% of models failed.

These numbers are for the case where nobody is auditing carefully.
The alchemist scenario.
Works, ships, gets exploited later.

The 19% slowdown is what prevention costs.
You can have speed or you can have the audit.
The models don’t offer both.
The developer has to choose, and the developer who chooses the audit will always look slower than the one who doesn’t.

Until 2am.

The Skepticism of Experience

The METR researchers noted something in their follow-up.
The developers who slowed down weren’t wrong to slow down.
They were applying appropriate skepticism to a tool that produces confident, fluent, plausible-looking code regardless of whether it’s correct.

Fluency is not correctness.
The models are very fluent.
The developers who slowed down knew the difference.
The ones who didn’t slow down may not have.

Final Metrics: Individual Output vs. Team Throughput

One last number.
DORA 2025: AI adoption increased individual PR creation by 98%.
PR review time increased by 91%.
Team-level delivery showed no statistically significant improvement.

Individual output went up.
Team throughput stayed flat.

The review bottleneck absorbed the generation speedup.

Where did the review time go?
To the people who could see what they were looking at.

Conclusion: The Audit is Running

The study found experienced developers were 19% slower.
The researchers were surprised.
I wasn’t.

The slower you are, sometimes, the more you understand what you’re looking at. That’s not a bug in the developer.
That’s the audit running.

Na3Niel ships code and reads the diff.
No links.
One mirror.
The 19% knows who they are.

The Core Incident: $2 Billion Lesson

Meta paid $2 billion for Manus in December 2025.
China unwound the deal in April 2026.

The money didn’t disappear.

The deal did.

There is one sentence that explains most of Meta’s expensive mistakes.

“Move fast and break things.”

Zuckerberg coined it. Facebook printed it on the walls. They retired it officially in 2014.

But the thinking never left.

The Limits of Technology

The metaverse cost north of $70 billion.

The avatar had no legs. Nobody showed up.

NFTs. Horizon Worlds. Now Manus.

This pattern isn’t incompetence.

It is a specific kind of blindness.

Zuckerberg reads technology faster than almost anyone alive.

But he reads power structures slowly, if at all.

The Crucial Difference in the Manus Bet

The metaverse bet was a technology timing error. Reasonable people made it.

The Manus bet was something else entirely.

Every mid-size IT engineer in Japan knew the answer before Meta signed the paperwork.

The question was simple: Can you buy a Chinese-origin AI company by routing the deal through Singapore?

The answer was simpler:

Everything in China sits below the Party.

This is not analysis. It is a fact about the operating system.

You don’t need intelligence reports. You need to read the architecture.

The Missing Element

Meta had lawyers.

Meta had advisors.

Meta had $2 billion to spend.

What Meta didn’t have was someone in the room who could say:

“The Party doesn’t care about your Singapore holding structure.”

— and be heard.

Speed vs. State Power

Zuckerberg moves fast. That is real.

Instagram at $1 billion was genius.

WhatsApp at $19 billion was genius.

Speed works when the obstacle is a competitor or a market gap.

Speed fails when the obstacle is a government that decides, three months after your acquisition closed, to call it a national security violation and hand you back the keys.

The NDRC didn’t move fast.

The NDRC moved exactly when it wanted to.

The Counter-Example: Anthropic’s Fight

Four thousand miles away, another company faced a different government with a different problem.

Anthropic spent January through March 2026 in a full legal war with the Pentagon.

Supply chain risk designation. Two federal lawsuits. A judge ruled the government’s actions were likely unconstitutional retaliation.

By April, Dario Amodei was writing blog posts calling the Pentagon the “Department of War”—the administration’s preferred term—and saying Anthropic has “much more in common” with the DoD than differences.

Strategy: Court vs. Under the Table

By April 21, Trump told CNBC that Anthropic was “shaping up,” and a Pentagon deal was “possible.”

Observe what happened here.

Anthropic fought in court.

And negotiated in private.

They launched Project Glasswing—$100 million in AI credits to fix zero-days across major OSs and browsers, with AWS, Apple, Microsoft, Google, Nvidia, and CrowdStrike at the table. A demonstration proving Anthropic’s models protect American infrastructure better than any alternative.

The legal argument said: You can’t do this.

The technical argument said: You need us.

The political argument was never made explicitly. It didn’t need to be.

The Fundamental Question

Constitutional AI is not a product feature.

It is an answer to a question Zuckerberg has never seriously asked:

What sits above the system?

Dario Amodei built his company on the premise that something has to sit there. His career is an attempt to answer that question before the question answers itself.

Whether you agree with his answers or not, asking it produces a specific skill: reading the room when the room contains someone more powerful than you.

Conclusion: Speed vs. Structure

Zuckerberg built a company based on the premise that moving faster than the room is enough. Sometimes it is.

China didn’t move faster. China waited.

The NDRC’s decision will be cited for years as the moment “Singapore incorporation” stopped being a clean exit route for Chinese-origin technology.

Meta lost $2 billion learning something already known.

Anthropic lost a designation, perhaps knowing from the start: in a superpower war over computing’s next decade, an autonomous zero-day finder is too valuable to exclude.

Two companies. Two governments. Two opposite outcomes.

The variable wasn’t the technology.

The variable was who in the room was reading the room.

Na3Niel debugs systems.
Sometimes the bug is the founder.
No links.
One mirror.

Draw your own lines.

by Na3Niel

Anthropic’s leaked source code had 512,000 lines.

Most people read the security architecture. The anti-distillation flags. The undercover mode that scrubs AI fingerprints from

external repos.

I read buddy/companion.ts.

18 species. Rarity tiers. A 1% shiny probability. RPG status bars. A Tamagotchi living inside a terminal, salted with friend-2026-401

— April Fools, except the code structure suggests it was never just April Fools.

Someone built this. Someone approved this.

That someone is probably not Dario.

Dario Amodei thinks in scaling laws. His output is Constitutional AI, interpretability research, the Responsible Scaling Policy.
Every idea he generates traces back to a single question: what does rigorous safety actually require?
The logic is load-bearing all the way down.

buddy/companion.ts answers a different question entirely.

What makes a user feel something?

That reads like Daniela’s question. Not a translation of Dario’s answer — a different question, running in parallel, producing outputs that Dario’s mental model doesn’t generate.

She’s not the interpreter.
She’s a second process with different inputs.

In systems design, you’d call this a heterogeneous architecture.
Two components with incompatible internal logic, coupled at the interface.
The coupling point is Claude itself.

The friction is the product.

There’s a comparison people reach for here. Jobs and Wozniak.

The visionary and the engineer.

It’s the wrong frame.

Wozniak was also an engineer.
His Apple I was technical perfection expressed as hardware.
Two engineers with different aesthetics, not two different types of mind.

Daniela is something else. The closer analogue is early Apple before Wozniak and Jobs had funding — when the product was still weird enough to be interesting, before market pressure normalized it into something recognizable.

Mike Markkula gave Apple its business structure. He translated technical enthusiasm into a pitch that investors could process. Clean, legible, convertible.

Daniela does that too. But she also generates the Tamagotchi. Markkula would never have generated the Tamagotchi.
His job was to make the weird thing legible, not to introduce new weird things.

That’s the distinction worth holding.

Claude Code ships as terminal-only. No GUI. No settings panel.

No onboarding flow designed to minimize abandonment rates.

Every product manager at Google looked at that decision and felt something between confusion and contempt.

Google Antigravity crosses browser, editor, terminal — maximum surface area, maximum reach. OpenAI Codex ships with a GUI, macOS-native, visual feedback, progressive disclosure.
Both are optimized for the same objective: more users, lower friction, broader market.

Claude Code optimized for something else.

The right users, maximum depth, no apology.

In a large organization, the meeting where someone proposes terminal-only ends one way. “Why would we limit the market?”

The proposal dies before it reaches a decision. This is not malice. It’s the natural behavior of a system where every voice represents a constituency with a growth metric.

Anthropic had that meeting. The terminal-only decision survived it.

What that tells you about the organization is more interesting than any benchmark.

The question worth asking isn’t whether Anthropic is growing.

It’s whether the thing generating the growth is durable.

Two failure modes, both structural.

October 2026. Reported IPO window.
The moment public markets attach a quarterly cadence to the organization, “what does the Tamagotchi contribute to this period’s guidance?” becomes a question with teeth.

Dario can answer it with conviction. Conviction doesn’t update spreadsheets.

The board composition changes at IPO. The informal veto — whoever it is that currently stops the GUI proposal, the settings panel,

the growth-hacked onboarding — that veto becomes harder to exercise when it has to be explained to people who weren’t in the room where the philosophy was formed.

Scale threshold. Anthropic is currently in the thousands. At ten thousand, the question “which budget owns the Tamagotchi” is not rhetorical.

It’s a blocker.

Features without clear organizational ownership don’t survive roadmap reviews at that scale. Not because anyone decides to kill them. Because no one decides to save them.

Apple 1985. Jobs exits.

The next decade produces capable products, reasonable margins, steady decline.

Jobs returns. First action: eliminate 70% of the product line.

He wasn’t restoring the original vision. He was cutting everything that had accumulated in the absence of the friction that made the original products interesting. The friction — the arguments, the irrational commitments, the things that didn’t survive normal business logic — that was the asset.

The organization had been systematically removing it for twelve years.

Anthropic is pre-1985.

The friction is still there. buddy/companion.ts compiles.

Terminal-only ships. The Tamagotchi exists because someone in a position to stop it didn’t.

This is not a prediction of failure.

It’s an observation about what the growth is actually made of — and whether that ingredient scales automatically.

The $30B ARR is real.
The 3.5 gigawatt TPU commitment is real.
The organizational structure that produces terminal-only decisions and April Fools Tamagotchis is also real.

Those three things are currently running on the same hardware.

Watch what happens when the hardware has to choose.

Na3Niel writes about systems that work until they don’t.

No links.

One observation.

Make of it what you will.