Zero Zero-Days.
https://na3niel.substack.com/p/zero-zero-days
May 12, 2026. Microsoft #PatchTuesday. Official #zeroday count: 0.
Same day. A researcher dropped two.
This is a field report on who's counting, and what they count.
Here's what others were doing.
Google pays $17.1 million a year in bug bounties — HackerOne's all-time annual record. Project Zero applies a 90-day public disclosure rule to every vendor. Including Google itself. In 2025 they added one more thing: they now publish the discovery date and the deadline before the patch even exists. The clock is public. The world knows it's running.
Apple had no public #bugbounty before 2020. The community noticed. They launched one. $35M paid, 800+ researchers credited over five years. October 2025: top reward doubled to $2M. $1,000 floor added for low-impact, first-time reports. Their stated reason: "we want researchers to have an encouraging experience."
Meta has paid a minimum of $500 per report since 2011. Not contingent on severity. Not contingent on final triage. The researcher showed up. The $500 ships.
OpenAI launched Daybreak in May 2026. An AI-powered vuln detection tool handed directly to external researchers. A tool to find problems with their own products. Given to the people looking for problems.
Anthropic's policy, as written: "We fully support researchers' right to publicly disclose vulnerabilities they discover."
xAI: March 2, 2025. A developer committed an .env file — API keys included — to a public GitHub repo. GitGuardian found it the same day. Sent an alert. No action followed.
Two months later, an independent researcher found the same key still active. GitGuardian reinvestigated. Still valid. No security.txt at xAI's domain. HackerOne contact for X: expired since January 2024, unrenewed. xAI's reply: "Please submit to HackerOne." The repo was deleted. No update sent. The fix happened silently, out of bounds of the process that found the problem.
And then there's Microsoft.
November 2, 2023 — Secure Future Initiative: "Security above all else."
April 2026 — Zero Day Quest 2026: "Zero Day Quest remains a core part of our ongoing partnership with the security research community." $2.3M awarded.
April 2 — BlueHammer published. #CVE-2026-33825 issued. Patched. Real exploitation observed by April 10.
April 16 — RedSun published. Live exploitation observed: compromised FortiGate VPN credentials, Russian IP, hands-on-keyboard operator. No #CVE issued. Patch quietly shipped. No announcement.
May 12, Patch Tuesday — Official zeroday count: 0.
May 12, same day — Chaotic Eclipse dropped YellowKey (#BitLocker bypass, Windows 11 / Server 2022/2025) and GreenPlasma (privilege escalation to SYSTEM).
The researcher's note: "Microsoft silently patched the RedSun vulnerability." "There will be a big surprise on June 9."
Microsoft's statement: "We support coordinated vulnerability disclosure — a broadly adopted industry practice that ensures issues are carefully investigated and addressed before being publicly disclosed."
The researcher didn't ask for money. Didn't ask for credit. Asked to be seen.
The mirror is there. No one has to look.
Full piece: what a silent patch does to the count — why CVE-based tooling is structurally blind to exactly this — the economics of recognition vs. money in the research community — Ballmer, 2001, and the distance between the stage and the MSRC triage queue — what to do instead of trusting the count.
All sources and related URLs are in the Substack post.
#bluehammer #yellowkey #WindowsSecurity #cybersecurity
Jon Snow
Na3Niel
Marius (windsheep)
🐦🔥nemo™🐦⬛ 🇺🇦🍉
Winbuzzer
Klaus Frank
smeg
Georg Weissenbacher
hunderteins
𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕