Na3Niel | Substack | May 2026
May 12, 2026. Microsoft Patch Tuesday. Official zero-day count: 0.
Same day. A researcher dropped two.
I put mirrors in the room.
This is what I saw.
1. What Others Built
Google
In 2010, Google created a team of full-time vulnerability researchers inside the company.
Project Zero applies a 90-day rule to every vendor — including Google itself.
After 90 days, the report goes public. Patched or not.
In 2025, they added Reporting Transparency: the discovery date and the 90-day deadline are published before the patch exists.
The world knows the clock is running.
That year’s bug bounty total: $17.1 million.
The highest annual payout in HackerOne history.
Apple
Before 2020, Apple had no public bug bounty program.
The security research community noticed.
In 2020, Apple launched one.
From 2020 to 2025: $35 million paid, 800+ researchers credited.
In October 2025, they doubled the top reward from $1 million to $2 million.
They also added a $1,000 floor for low-impact reports from first-time submitters.
The reason Apple gave: “we want researchers to have an encouraging experience.”
Meta
Since 2011, Meta has guaranteed a minimum of $500 per report.
Not contingent on severity.
Not contingent on final assessment.
The researcher showed up.
The $500 ships.
2024 totals: $2.3 million paid, nearly 10,000 reports received.
OpenAI
April 2023: bug bounty program launched on Bugcrowd.
Standard ceiling $20,000, exceptional reports up to $100,000.
May 2026: Daybreak launched.
An AI-powered vulnerability detection tool — built on GPT-5.5-Cyber — handed directly to external researchers.
A tool to find problems with their own products, given to the people looking for problems.
Anthropic
August 2024: VDP launched.
2025: graduated to a public bug bounty on HackerOne.
One line from their policy, as written: “We fully support researchers’ right to publicly disclose vulnerabilities they discover.”
xAI
March 2, 2025.
An xAI developer committed an .env file — API keys included — to a public GitHub repository.
GitGuardian’s automated scanning system found it the same day and sent an alert to the commit author.
The key covered Grok’s unreleased and private models, a SpaceX-specific model, and a Tesla-specific model.
The alert was sent.
No action followed.
Two months later, an independent researcher named Philippe Caturegli found the same key still active and posted about it on LinkedIn, tagging GitGuardian. GitGuardian reinvestigated.
The key was still valid.
They then spent hours looking for a security contact to report to formally.
No security.txt file existed at xAI’s domain.
The HackerOne contact for X had been expired since January 2024 and left unrenewed. GitGuardian eventually found safety@x.ai and sent a coordinated disclosure on April 30.
xAI’s reply: “Please submit to HackerOne.” Hours later, the repository was deleted and the key revoked.
No update was sent to GitGuardian.
The disclosure process ended without acknowledgment.
The key had been sitting in a public repository for two months.
The first alert went unanswered.
The fix happened silently, out of bounds of the process that found the problem.
2. Microsoft’s Record
Secure Future Initiative — November 2, 2023
“Security above all else.” “Improving security across the industry.”
Zero Day Quest 2026 — April 2026
“Zero Day Quest remains a core part of Microsoft’s broader bug bounty program and our ongoing partnership with the security research community.” $2.3 million awarded.
The timeline with Chaotic Eclipse
April 2: BlueHammer published.
CVE-2026-33825 issued. Patched in April’s update.
Huntress Labs observed real-world exploitation beginning April 10.
April 16: RedSun published.
Huntress observed live exploitation — a threat actor using compromised FortiGate SSL VPN credentials from a Russian IP, running hands-on reconnaissance with whoami /priv and cmdkey /list. No CVE issued.
A patch was quietly mixed into an update before Patch Tuesday.
No announcement was made.
May 12, Patch Tuesday: Official zero-day count, 0.
May 12, same day: Chaotic Eclipse dropped YellowKey — a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025, exploitable by placing crafted FsTx files on a USB drive and rebooting into WinRE.
And GreenPlasma — a privilege escalation flaw allowing unprivileged users to create arbitrary memory-section objects in SYSTEM-writable directories.
The researcher noted the PoC was intentionally incomplete: “if you’re smart enough, you can turn this into a full privilege escalation.”
The researcher’s public note: “Microsoft silently patched the RedSun vulnerability.” And: “There will be a big surprise on June 9.”
Microsoft’s statement to BleepingComputer
“We are committed to investigating security issues and releasing updates to protect customers as quickly as possible.
We support coordinated vulnerability disclosure — a broadly adopted industry practice that ensures issues are carefully investigated and addressed before being publicly disclosed.”
3. Closing Note
The researcher didn’t ask for money.
Didn’t ask for credit.
Asked to be seen.
The mirror is there.
No one has to look.
<Na3Niel’s TechTIPS />
[1] What a zero-day actually is — and why it’s called “zero”
A zero-day is a vulnerability for which no fix exists yet.
The name describes the window defenders have to respond after discovery: zero days.
For the attacker, it’s a free pass. For the defender, it’s a period where no countermeasure has been built.
An analogy.
A flaw is found in the front door lock of an apartment building.
Management knows.
They decide to wait for the next scheduled maintenance cycle.
Anyone who knows about the flaw walks straight in.
That waiting period is the zero-day window.
Now consider what happened here.
Microsoft fixed the lock.
They just didn’t tell anyone the lock had ever been broken.
The residents will never know their door was open.
Their sense of security rests entirely on not knowing.
That’s what a silent patch does.
The count stays at zero.
The flaw existed anyway.
[2] CVE — the official scoreboard, and what it doesn’t count
CVE stands for Common Vulnerabilities and Exposures.
It’s an international system that assigns unique IDs to vulnerabilities.
Most security tooling uses these numbers as the trigger for action.
No CVE, no alert.
No CVE, no flag in the patch management system.
No CVE, no signature update from your scanner.
The problem: issuing a CVE requires vendor cooperation.
If the vendor decides not to request one, the vulnerability has no official number.
It exists.
Researchers see it.
Attackers use it.
The tooling sees nothing.
RedSan had no CVE.
Huntress Labs observed it being used in real attacks — FortiGate credentials compromised, Russian IP, hands-on-keyboard operator running reconnaissance.
Microsoft’s Patch Tuesday listed zero zero-days.
Both statements were technically accurate.
They described different things.
The scoreboard showed a clean game.
The field told a different story.
[3] Bug bounty economics — why “thank you” is sometimes the whole payment
Bug bounty programs pay external researchers to find vulnerabilities.
The corporate logic is straightforward: motivated outsiders catch what internal teams miss.
What the economics often miss is the motivational structure on the researcher’s side.
Industry surveys, including HackerOne’s annual Hacker-Powered Security Report, consistently show that recognition — being credited, being seen — ranks alongside or above financial compensation as a driver for many researchers.
“Your discovery protected Windows users” — one sentence — carries real weight for a measurable portion of the community.
What Microsoft did with RedSan was remove that sentence from the equation entirely.
No CVE means no public record.
No public record means no name attached to the find.
The researcher did the work.
The work was used.
The official record says it didn’t happen.
Chaotic Eclipse had been through some version of that process before this campaign began.
The connection is not difficult to draw.
[4] “Developers, developers, developers” — on the distance between announcement and action
At a Microsoft conference in the early 2000s, something happened that the internet has not forgotten.
Then-CEO Steve Ballmer took the stage and chanted “Developers! Developers! Developers!” — jumping, sweating, filling the room without amplification.
The clip still circulates.
It has been remixed, slowed down, set to music, used as a reaction gif for two decades.
It endures because the energy was, by any measure, genuine.
Whatever else one might observe about the moment, the man believed what he was saying.
The chant was a declaration: Microsoft sees the developer community.
That commitment produced real artifacts — the GitHub acquisition at $7.5 billion, VSCode as open source, Secure Future Initiative in November 2023.
The announcements accumulated.
They were not nothing.
Announcements are not actions, though.
The action the security research community watches for is specific and simple: when someone finds something serious, you credit them publicly, you issue the CVE, and you pay the bounty.
That’s the checklist.
Ballmer’s decibel count does not appear on it.
The distance between what is said on stage and what happens in the MSRC triage queue is measurable.
The measurement is not performed by press releases.
[5] How to stop trusting the count — and what to do instead
Before accepting “0 zero-days” as meaningful information, one question is worth asking first: what exactly did this zero count?
CVE-based vulnerability management tools cannot detect what has no CVE number.
If your patch management workflow is designed around “act when a CVE is issued,” that workflow had a documented blind spot on May 12, 2026 — and the blind spot was being actively exploited in the wild at the time.
The count said zero.
The network traffic said something else.
Practical options exist.
Diffing binaries before and after patch application surfaces silent changes that ship without CVE documentation.
Subscribing to threat intelligence feeds — Huntress, GreyNoise, Recorded Future — gives you an observation layer that runs independently of the official numbering system.
These are not exotic solutions.
They exist specifically because the count has always had this property.
The count counts what it counts.
It was never designed to count the rest.
Knowing the difference is the job.
Na3Niel debugs systems.
Sometimes the bug is the founder.
One mirror.
Sources
CopyA note on sources.
The links below point to what I was reading when I wrote this.
I've described them as I understood them at the time.
Two things may be wrong:
the link may have changed, and my reading may have been off.
If you find a discrepancy between what I wrote
and what the source actually says —
that discrepancy is information.
File it somewhere.
Google Project Zero — Policy and Disclosure 2025 Edition
https://googleprojectzero.blogspot.com/Google VRP — Bug Hunters Platform
https://bughunters.google.com/Apple Security Bounty — Evolved
https://security.apple.com/blog/apple-security-bounty-evolved/Meta Bug Bounty 2024 in Review https://engineering.fb.com/2025/02/13/security/looking-back-at-our-bug-bounty-program-in-2024/
OpenAI Safety Bug Bounty
https://openai.com/index/safety-bug-bounty/Anthropic Responsible Disclosure Policy
https://anthropic.com/responsible-disclosure-policyGitGuardian Blog — xAI Secret Leak: The Story of a Disclosure https://blog.gitguardian.com/xai-secret-leak-disclosure/
Krebs on Security — xAI Dev Leaks API Key for Private SpaceX, Tesla LLMs https://krebsonsecurity.com/2025/05/xai-dev-leaks-api-key-for-private-spacex-tesla-llms/
Microsoft — Secure Future Initiative (November 2, 2023)
https://microsoft.com/en-us/security/blog/2023/11/02/announcing-microsoft-secure-future-initiativeMicrosoft MSRC — Zero Day Quest 2026
https://microsoft.com/en-us/msrc/blog/2026/04/zero-day-quest-2026Huntress — Nightmare-Eclipse Tooling Moves From Public PoC to Real-World Intrusion (April 20, 2026)
https://www.huntress.com/blog/nightmare-eclipse-intrusionBleepingComputer — Windows BitLocker zero-day gives access to protected drives, PoC released
https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/SecurityAffairs — Researchers uncover YellowKey and GreenPlasma Windows Zero-Days
https://securityaffairs.com/192173/hacking/researchers-uncover-yellowkey-and-greenplasma-windows-zero-days.htmlHackerOne — Hacker-Powered Security Report 2025, 9th Edition
https://www.hackerone.com/report/hacker-powered-security0patch Blog — Microsoft Silently Patched CVE-2025-9491
https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html