Seattle-based drinkware maker MiiR is suing Tesla for allegedly copying the lid design and overall look of its stainless steel tumbler. The lawsuit, filed May 28 in US District Court in Seattle, alleges Tesla’s On The Road Tumbler infringes a design patent covering MiiR’s tumbler lid and mimics the cylindrical shape, rounded base, and vertical logo placement of its 360 Traveler Tumbler.

MiiR accuses Tesla of choosing to “substantially copy” its design rather than “innovate and develop its own unique style.” The company says Tesla was already aware of MiiR’s products because it had previously purchased or considered purchasing them.

At the centre of the case is MiiR’s lid, described in the patent as a “solid, saucer-shaped circular lid” whose circumference sits perpendicular to the sides of the container. The US Patent and Trademark Office granted the patent in February 2024. MiiR argues an ordinary observer would be deceived into thinking the two lids are the same or substantially similar.

MiiR also takes issue with Tesla’s logo placement. MiiR has used a distinctive vertical orientation of its etched brand name on drinkware since at least 2011. It says Tesla copied that same orientation on its tumbler rather than developing its own visual identity for the product.

The products are similar in size and price. MiiR’s 16-ounce 360 Traveler sells for $34 in eight colours. Tesla’s 14-ounce version is listed at $32 in three colours. Tesla sells the tumbler through its online shop and retail locations as part of a broader lifestyle merchandise line that includes apparel and accessories.

MiiR, founded in 2010, has won design awards from the Industrial Designers Society of America and donates a percentage of revenue from every product to environmental and community causes. It operates a production and warehouse facility in Marysville, Washington, north of Seattle. The company is represented by K&L Gates.

MiiR is seeking a permanent injunction to stop Tesla from selling the tumbler, damages, an accounting of Tesla’s profits from the product, and attorney fees. It is also asking the court to find that Tesla’s infringement was willful, which could result in enhanced damages. A separate claim under the Washington Consumer Protection Act alleges Tesla misled consumers into believing the tumbler was affiliated with or approved by MiiR.

Tesla has not publicly responded to the lawsuit. It is not the first time the company has faced intellectual property disputes over its product designs.

Valve is pulling physical Steam gift cards from retail stores, bringing an end to a program that has been around since 2012. The company confirmed, as spotted via SteamDB, that it will no longer send new stock of Steam gift cards to retailers once current supplies run out.

Digital Steam gift cards are not going away. Valve says users will still be able to buy them directly through Steam, and existing physical cards can still be redeemed whenever users choose. Retail stock, however, is expected to disappear by the end of 2026.

Why Valve is cutting off retail gift cards

Valve says the decision comes after years of scam-prevention efforts. The company says it worked with retailers and law enforcement, added prominent scam warnings, limited cards by currency, restricted availability, and removed cards from sale when unusual activity appeared. Unfortunately, scammers still adapted.

The issue is not limited to Steam. Scammers prefer gift cards because they are fast, widely available, and difficult to reverse once redeemed. A victim can buy one at a normal retail store, read out the code and PIN over the phone, and lose the money without ever handing over the physical card. Unlike a card payment or bank transfer, there is usually no simple chargeback process once the value has been claimed. Since no bank details are involved, it becomes much harder for victims or authorities to follow the money.

Who scammers target, and how the scam works

Gift card scams often target the elderly, isolated people, users who are less familiar with digital payments, and anyone who can be frightened into acting quickly. The setup usually starts with a phone call, email, text, or social media message.

Scammers may pretend to be government officials, tech support workers, debt collectors, utility companies, romantic partners, employers, or relatives in trouble. Although the story changes, the pressure tactic is usually the same. They insist on immediate payment, tell victims to keep the situation secret, and discourage them from ending the call.

Victims are often told exactly which card to buy and where to buy it. Once they share the number and PIN from the back of the card, the money can be drained remotely.

Valve is currently the only major company taking this step with physical gift cards. But if gift card scams keep growing, other companies may also decide that selling them in stores is no longer worth the risk.

Apple’s efforts to expand parental controls are a good start, and legally required soon. Like all safety systems, it’s only as strong as its weakest link.

On Monday, Apple spent 30 minutes of the WWDC 2026 discussing its latest updates to Child Accounts. These updates are designed to make using iPhone, iPad, and Mac safer for users under 18.

But how good are these features, really? Let’s break down what each one is, how it works, and why a lot of it ultimately doesn’t matter.

Communication Safety now blocks violence and gore blocking

Communication Safety was introduced in iOS 15.2 to protect children from viewing or sending images containing nudity. Communication Safety is enabled by default for all accounts under 18.

However, at some point, Apple realized that nudity isn’t the only kind of harmful content minors can be exposed to. That’s why, in iOS, iPadOS, and macOS 27, Messages will also block images and videos depicting gore and violence.

A new safety warning pops up for violence and gore in iOS 27

The feature works across multiple Apple device features, including Messages, AirDrop, Contact Posters, FaceTime calls and video messages, shared photo albums, and some third-party apps.

When sensitive content is detected, Communication Safety blurs the photo or video before the child can view or send it. It also presents multiple interventions before viewing or sending potentially illicit content.

If a child account is registered to a user under 13 with a Screen Time password enabled, the child will be unable to view sensitive content without the family organizer’s express permission.

Personally, I think this is a fantastic place to start. As I’ve said before, I don’t have kids, but I certainly am not short on friends who do.

I suspect, however, that this feature may be somewhat limited. Many kids don’t communicate primarily through FaceTime or Messages; instead, they use social media platforms like Instagram or catch-all apps like Discord.

Apple does make some of these features available to third-party developers, which I’ll discuss more below, but there’s no guarantee they will choose to integrate them.

Better control over who kids talk to with Communication Limits

Previously, Communication Limits allowed parents to manage when kids could communicate with others via Phone, FaceTime, and Messages. This meant you didn’t need to worry about your kids staying up super late to text their friends on school nights.

Now, in iOS 27, Communications Limits will require parents to approve any new contacts added to a child’s account. This is infinitely better, because now parents know exactly who is in their child’s contact list without needing to actively go through their phone.

Ask to Browse

One of Apple’s more underrated features is Ask to Buy. It requires a family organizer to sign off on purchases made by a child’s account.

Apple introduced the predecessor to Ask to Buy in 2011, a 15-minute time limit between requiring another password entry after purchasing in-app purchases.

Then, in 2014, Apple officially launched Ask to Buy, which gave parents a way to approve or decline purchases via the Family Sharing section in Settings. It would receive a second update in 2022 with iOS 16.2, integrating requests into the Messages app, eliminating the need to check Settings first.

Ask to Browse will require parents to approve websites for children under 13, and optionally for children under 18

Now, Apple is taking it a step further with Ask to Browse, set to debut in iOS 27. Ask To Browse will alert parents via Messages when a child wants to view a new website and allow remote approval.

Honestly, it’s surprising that Apple took this long. The feature should, at the very least, have been introduced in 2022 alongside the Ask to Buy Messages integration.

A better Screen Time experience

This fall, iOS 27 and its iPad and Mac counterparts will get an overhauled Screen Time experience.

Time Allowances will give parents more flexibility over how kids spend time in apps across categories. These categories, for example, might include Entertainment, Games, and Social Media.

Expanded Time Allowance controls make it easier to set up healthy screen time limits

Parents can set an overall time limit, such as two hours, for a child’s screen time. Then they can further customize how much time a child spends in each category, such as one hour on entertainment, half an hour on games, and half an hour on social media.

I like this quite a bit, especially because the interface is large and not intimidating, suggesting that it would be pretty easy to use for nearly anyone. It’s even better because it utilizes expert research to suggest appropriate screen time limits.

Help for parents, too (but only sort of)

One of the other things Apple mentioned was a brand new Child Safety guidance website. The website, which is live now, serves as a quick primer on all the safety features available to parents.

I’m putting extra emphasis on quick, by the way. It really doesn’t explain anything more than, say, any other Apple feature page.

Sure, it explains which features exist and which are coming soon, but that’s about it. There isn’t much information about what is inside the apps, what steps you’ll be expected to take, or why Apple suggests them.

Instead, it tells you that you can enable Find My on the Apple Watch for a child account. It tells you that Screen Time is a thing, sure, but not how to use it.

If I were in charge of the website, and I’m not, I would have, at the very least, linked out to the Apple User Guide or Support pages for each feature. At least then, a parent could know where to find each feature and how to customize it for their child.

Developers can participate, but don’t have to

To Apple’s credit, it’s trying to make it easier for developers to incorporate these safety features into their own apps.

For example, Apple offers the ScreenTime Framework to developers, giving them the tools to help parents supervise how much time their children spend in the app.

PermissionsKit, Apple’s developer framework that powers this process, allows third-party app developers to utilize the same Communication Limits Apple uses in FaceTime and Messages.

I think this could be huge for apps like Discord or Instagram. Whether those developers choose to do so is another matter entirely.

Communication Limits, used here in Messages, can be integrated into third-party apps via PermissionsKit

The SensitiveContentAnalysis framework helps check for and blur nudity in third-party apps. This feature should probably be utilized by apps like Instagram, Snapchat, and Discord as soon as possible.

Again, these are opt-in features made available to developers. Because there is no requirement to utilize them, certain apps will likely still pose a risk to minors.

It’s a good start, but it’s not there yet

One of the bigger problems with these safety features is that many are opt-in. A safety net only works if it’s being used.

Child Accounts for users under 13 automatically enable additional protections, such as Communication Safety, Ask to Buy, and Sensitive Content Warnings. When it launches in the fall, Ask to Browse will also be enabled for users 12 and under.

In iOS 27, Communication Safety will also be automatically enabled for users aged 13 through 17. This is a solid move, especially knowing that a significant portion of CSAM is actually self-generated or otherwise passed around by minors themselves.

But things like Ask to Browse and Ask to Buy are opt-in for children aged 13 and older. While there is a reasonable expectation that, say, a 17-year-old could deduce whether they should visit a website, I’m not sure the same logic applies to a 13-year-old.

Screen Time limits, which can be used to limit a young person’s exposure to social media, are currently opt-in, regardless of the child’s age. And not only is it opt-in, but it also requires a family organizer to sit down and undergo a not-insubstantial setup process.

That’s a big ask for some people. Doubly so if the parents aren’t aware of these features in the first place, or aren’t entirely sure how they work.

I don’t know how to make this situation better. Apple isn’t responsible for what third-party developers make available, and a parent may not realize the dangers of social media or instant messaging apps.

It’s certainly not illegal for a 13-year-old to have an Instagram account. What they come across on it isn’t Apple’s responsibility; it’s Meta’s.

Perhaps the answer is a more robust setup process for child accounts. Make parents opt out of features like Ask to Browse and Ask to Buy for all minors, rather than opt in.

We won’t know exactly how many of these features work until they’re fully implemented in the public releases. Child accounts under 13 are not eligible to participate in Apple’s beta tests.

Hopefully, though, they are at least another tool parents can utilize. Lord knows they need all the tools they can get.

Parenting isn’t easy, and the omnipresent internet certainly hasn’t made it easier. I suspect this will be an eternally ongoing process, and unfortunately, until we find the gaps in the current system, we may not know what is causing harm.

As always, my advice, and the advice of AppleInsider, is as follows: If you know someone who isn’t particularly tech-savvy, take the time to offer help.

If you know a parent who is getting their kid their first iPhone, offer to show them how to set it up safely. And if you are a parent, I personally suggest having an open, honest dialogue with your kids about how to stay safe online.

from the rebuilding-a-better-internet dept

Last month Terry Godier published a great essay on his website about “the boring internet,” discussing how the internet that many of us grew up with, the wonderful, empowering, exciting internet that moved power to the edges of the network rather than the center, is still there. It’s just hidden beneath enshittified commercial layers put there by companies seeking to extract more and more from you. It’s a great read and here’s just a snippet:

The internet you grew up on is not gone.

Some of its commercial superstructure is, and more of it will go. The next decade is going to be strange for any company whose value proposition was: we host the place where you talk to your friends.

The platforms will keep mutating. The feeds will keep filling. The slop will keep rising. The grief is real and you are not wrong to feel it.

But the actual internet — the protocols, the federated services, the plain-text commands, the open feeds, the small servers, the personal sites, the things people built when user and developer were sometimes the same word — is still right there.

Advertisement

It was not demolished.

It was buried under a louder layer for a while.

Go read the whole thing. You won’t regret it. This is why I wrote Protocols, Not Platforms, it’s why I’ve been so focused for years on helping more people understand the inherent power of distributing technological power.

But, as Godier’s piece notes, protocols are… boring. They change slowly (for a good reason, because you need stability to build on). They tend to change by consensus, which is messy. And rather than having billion dollar companies throwing a whole massive engineering team at making everything work, in the protocol world, we rely on constant experimentation by anyone who wants to experiment.

Sometimes that produces silly things. Sometimes it produces things that only kinda work. And sometimes, it produces wonderful new things that would never have existed in a world of fully centralized services.

But, it takes time. And that can be frustrating for those of us who want to live in that better future. The important thing for people to understand, though, is that while the amazing new breakthroughs in the protocol world may not get giant headlines in the NY Times or flashy stories about trillion dollar IPOs, they are building real things for real people, in which the people are the most important part, rather than the bankers or the billionaire execs looking to get richer.

So I was excited recently to take part as a juror for the Open Social Awards, put on by New_Public and Public Spaces, reviewing a wide range of projects looking to build on open social protocols (mostly ATproto and ActivityPub). The energy among developers right now for what they can do on open social systems is real, and it’s building fast. Tim Trautmann recently wrote about this, saying “the nerds are building a new internet.” As he wrote:

The open web of the nineties didn’t win because the tools were better. It won because a critical mass of people decided that the alternative, a handful of AOL-style walled gardens choosing what everyone saw, was not the future they wanted. Then they built their way out of it. Slowly, unglamorously, in rooms that looked a lot like this one.

Whether atproto ends up being the thing, or a stepping stone to the thing, I don’t know. Nobody in the room claimed to know. But the work is real, the apps are shipping, and the people building them are taking it seriously without taking themselves seriously. That combination is rare, and historically, it’s the one that wins.

Advertisement

You can see that kind of excitement as well in this recent video of a bunch of developers doing an ATproto hackathon, where you see people realizing in real time how powerful ATproto is in allowing you to build a better internet:

It’s so easy these days to get down on the state of the larger internet, increasingly controlled by bigger and bigger companies trying to extract more and more from you. But if you look beneath all of that, genuinely interesting, important things are being built, some of which was celebrated at the Open Social Awards last week.

The grand prize winner was the Newsmast Foundation, which has been helping mission-driven organizations build their own social spaces online, using ActivityPub. They’ve been building some amazing community apps for news organizations, non-profits, and more. Enabling those organizations to have their own social spaces, but built on top of an open protocol.

The two “Excellence Award” winners were equally strong — there was a real argument that either of them could have taken the grand prize. First there’s Blacksky Algorithms, which has built out an entirely separate and differentiated ATproto experience, where thousands of users can have a social media experience interoperable with Bluesky and others on the network, but without ever touching Bluesky hardware or software. The company keeps doing really fascinating things as well, including its use of pol.is for community decision-making, and offering up its ability to build entirely independent ATproto powered communities to others via Acorn.

And there’s one of my personal favorites, Sill, which is a wonderful cross-protocol newsreader app. You login with your Atmosphere (ATproto) handle and/or your ActivityPub handle, and it will find the news that is being discussed among your followers and format it in a nice digest format. I use it as a daily review of what’s happening in the world that’s interesting to me.

And then all of the “honorable mentions” were doing interesting things as well, figuring out ways to make open social more useful: Bounce (a tool for migrating between AcitivtyPub and ATproto while bringing your community with you, from the team who also does BridgyFed, a tool for communicating across protocols). Dandelion, an events platform built on ATproto. Streamplace, which does video streaming on ATproto. Leaflet, which has become one of the go to places for long form blogging within the ATproto world, and Bonfire Networks, which is also working on helping communities build their own communities online.

There were many other entries as well, and the energy developers are bringing to open social projects right now is genuinely contagious. People are learning that they can just build stuff, and specifically the kind of stuff that you had to rely on the goodwill (or perhaps commercial agreements) of a large company to build.

Every day there are more creative new ideas showing up. The one thing I’m looking forward to most is when we start to break out of the “rebuilding this centralized service on open protocols” and finally get to the point where we get entirely new things that are only possible because of open protocols. This is how these things have always worked. A new medium first gets used to rebuild familiar things — almost as a way of learning how the underlying system operates. Then come the breakthroughs that are only possible because of that new medium. If I had one complaint about the entries this year, it’s that too many of them felt like rebuilding the old things, just on a protocol.

We’re already starting to see small examples, though, of what it looks like when we go to the next stage, and it’s not just “this service, but without centralized control” to “we can function entirely differently without centralized control.” That’s just starting to happen, but I expect we’ll see many more examples in the near future.

In the meantime, congrats to the winners (and all the entrants) of the first ever Open Social Awards.

Filed Under: activitypub, atproto, atprotocol, open social, open social awards

Companies: new public, public spaces

Salaries for AI roles in Singapore have climbed 15-25% in the last 12 months

Artificial intelligence builders are winning even as AI is used to justify cutting jobs in big tech and global banks. In Singapore, salaries for workers developing these systems are climbing up to five times faster than average wages.

The pay for AI roles has climbed 15–25% in the past year, with fresh hires starting at S$70,000–S$90,000 annually, according to a Robert Walters report cited by The Straits Times. Meanwhile, overall nominal wages for full-time workers rose 4.9% in 2025, down from 5.6% in 2024, per Ministry of Manpower figures.

“AI and data-based roles remain among the most in-demand positions in Singapore this year,” said Kirsty Poltock, country manager at Robert Walters Singapore. “Companies are racing not just to experiment with AI, but to put it to work at scale in their businesses.”

While hard numbers are scarce, Poltock said AI-related hiring “has continued to grow strongly over the past 12 months, particularly in AI engineering, machine learning, data science, AI product management, and AI governance roles.”

For instance, Chinese technology companies are intensifying efforts to recruit AI graduates from Singapore’s two flagship universities, offering sharply higher pay packages from S$200,000 a year to entice PhD holders to work in China, reported The Straits Times.

On May 20, OpenAI committed over US$300 million (S$386 million) to build Singapore’s applied AI sector, including an Applied AI Lab and a training programme to create over 200 Singapore-based technical roles in the coming years.

Its rival, Anthropic, the creator of AI assistant Claude, is also hiring its first Singapore-based product support specialists and offering a lucrative salary, according to an advertisement on LinkedIn.

Meanwhile, Chinese tech giant Alibaba’s cloud computing arm had also set up a global artificial intelligence innovation hub in Singapore in 2025.

Too many jobs, not enough people

AI is “clearly an outlier” for high demand, talent shortages, and premium salaries—even if not the only high-growth area, Poltock said.

She added that the demand for AI talents “has consistently outpaced the supply of qualified candidates”, resulting in salary hikes.

AI openings are everywhere. A quick search on the job portal MyCareersFuture.sg on Jun 10 revealed 150 listings for AI engineers, 45 for machine learning and 15 for data science. On the other hand, LinkedIn is advertising over 800 posts for AI engineers, more than 4,000 for machine learning and over 5,000 for data science.

However, fresh talent is scarce. AI roles often take longer to fill than other professional positions, Poltock said, because employers are competing for a limited pool of candidates.

Employers are particularly hungry for “deep tech” talents who can go beyond building AI prototypes to embedding systems into real‑world operations.

“Chinese tech firms tend to have a much stronger emphasis on deep technical AI capabilities and infrastructure, including research,” she added. “In Singapore, employers are generally placing greater emphasis on commercialisation and enterprise integration—using AI to improve productivity, automate workflows and enhance customer experience.”

No need for PhDs for AI roles

Typical entry routes into AI roles include bachelor’s and master’s degrees in computer science, data science, mathematics, or engineering—especially from local universities—plus programming skills and hands-on AI project work or internships.

“For the vast majority of AI roles we see in Singapore, a good bachelor’s degree plus practical experience and the right skills are sufficient, but to earn the absolute top end of the spectrum, a PhD would be required,” Poltock said.

An “absolute expert in AI research or leading major AI initiatives in Singapore” could command close to S$350,000 in total compensation, she added. Such an expert is expected to lead a team and has responsibilities that are increasingly global in scope, which recruiters said companies tend to look beyond Singapore for suitable candidates.

However, the silver lining lies in the fact that such AI leadership rarely fly alone but builds local teams, which creates downstream opportunities, said Yuan Yijia, founder of Singapore‑based AI recruitment agency Dada Consultants.

“They anchor an AI organisation here—then around them you start to see hiring for applied AI engineers, data analysts, platform and product roles. Those are exactly the kinds of positions that Singaporean graduates and mid‑career professionals can qualify for if they build the right skills,” she told The Straits Times.

Poltock urged Singaporeans to regroup and consider how AI can complement their careers, whether through AI-related degrees, mid-career technical upskilling, or applying AI within familiar sectors.

But riding the AI wave takes more than checking a box by taking a single course.

The candidates who stand out are “proactive, inquisitive and willing to get their hands dirty—through internships, internal pilot projects, or even self-initiated work at home.”

• Read other articles we’ve written on Singapore’s current affairs here.

• Stockton has approved a $3.15 investment in Flock drones
• The drones will act as airborne first responders
• Residents have raised privacy and surveillance concerns

Surveillance and privacy are huge concerns for individuals across the world right now, and municipal leaders in the California city of Stockton are the latest to attract criticism for a controversial drone expansion program that’s ostensibly being undertaken in the interests of public safety.

As reported by Stocktonia, the city council recently gave the thumbs up to a $3.15 million investment in drones manufactured by Flock, on top of the automatic license readers the company already supplies. These drones can act as airborne first responders, giving police eyes on a 911 call situation in as little as 30 seconds.

A former Meta employee who lost their job during a round of layoffs on May 20 is said to have been detained by US Immigration and Customs Enforcement in recent days, according to communications inside the company seen by WIRED.

A current employee posted about the incident on an internal Meta messaging board for immigration topics this week. The initial post was marked as “urgent” and tagged two Meta executives who focus on immigration issues and employee risk, in an attempt to escalate the issue to them.

The current status of the detained worker is unknown.

A spokesperson for Meta, Dave Arnold, declined to comment on the record. Representatives from ICE and the US Department of Homeland Security did not provide comment in time for publication. It is unclear whether the employee was detained by ICE, Customs and Border Protection, or another agency.

Internal messages reviewed by WIRED indicate employees believe their former colleague was being detained in El Paso, Texas, where there is a major US-Mexico border crossing. On the other side is Ciudad Juárez, home to one of the largest US consular offices in the region and a common destination for visa processing.

Many international employees at US tech companies work on H-1B visas, which allow firms to hire highly skilled foreign workers. These visas are tied to a specific employer. Workers who secure a new job need to adjust their immigration paperwork, sometimes by intentionally leaving and reentering the country.

WIRED was unable to confirm the worker’s nationality or what type of US visa they may have traveled on.

The incident marks a rare known instance of a corporate tech worker being taken into immigration custody since President Donald Trump launched dramatically escalated enforcement efforts across the country early last year, sparking widespread criticism.

In May, Meta cut nearly 10 percent of its workforce, or roughly 8,000 people, as part of its ongoing efforts to make the company more efficient and offset the massive investments it is making into AI infrastructure. Numerous workers on visas were among those let go, according to employees familiar with the departures.

A small community of Meta employees has demanded that the company do more to protect immigrant employees and contractors at risk of being detained or deported by ICE, including helping to pay for legal fees and allowing workers to avoid offices on days they fear immigration officials might be in the area. Amid what some employees describe as a lack of support from Meta, workers have begun organizing financial and logistical aid for colleagues in the US dealing with immigration issues.

Under the Trump administration, immigration authorities have been arresting tens of thousands of people a month, with about 60,000 people in detention centers as of early April, according to researchers. Tech offices have not been much of a target for raids. But in January, immigration authorities arrested two workers traveling to a Meta data center construction site.

Security

Revenge is a dish best served code

They are angry at Redmond and will have their revenge. Nightmare Eclipse, the prolific bug hunter and possibly disgruntled ex-Microsoft employee, disclosed another zero-day vulnerability just hours after Redmond issued a record-breaking number of CVEs and fixes for June Patch Tuesday.

The latest zero-day, RoguePlanet, targets Microsoft Defender and works against fully patched Windows 10 and Windows 11 systems, according to the researcher, who also released proof-of-concept exploit code for the security flaw. Assuming the attacker can win a race condition, this bug allows local privilege escalation and leads to SYSTEM-level control over an affected machine. 

Nightmare Eclipse (aka Chaotic Eclipse) is a disgruntled bug hunter with a deep understanding of Windows and an even deeper grudge against Microsoft. They claim to be an ex-employee, and accuse Redmond of ignoring vulnerability reports and refusing to communicate with them.

“When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people,” they wrote in an earlier blog post that also promised a “bone shattering” drop on July 14. 

“You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot,” the post continued.

Possibly as an outlet for this anger, and reportedly in response to Redmond’s lack of action, Nightmare began releasing their findings to the public. RoguePlanet marks the seventh Microsoft zero-day that they found and disclosed – accompanied by either a PoC exploit or technical details – before Redmond issued a fix.

Microsoft’s initial response to those disclosures was widely interpreted as a threat of legal action, prompting massive outrage from the broader infosec community before Redmond sought to calm the backlash by stating it had “no intention to pursue action against individuals conducting or publishing security research.”

As of Tuesday, the previous six zero-days all have patches.

Three of them, RedSun, UnDefend, and BlueHammer, came under attack soon after Nightmare published working exploit code for each and before Microsoft released security updates to address the flaws. The other three, YellowKey, GreenPlasma, and MiniPlasma, all have been fixed as of June’s Patch Tuesday. 

YellowKey (aka CVE-2026-45585) is a security feature bypass bug in Windows BitLocker. An attacker with physical access to the vulnerable system could bypass the BitLocker Device Encryption feature and gain access to the device’s encrypted data.

GreenPlasma (aka CVE-2026-45586) and MiniPlasma (aka CVE-2020-17103) are both privilege escalation flaws in the Collaborative Translation Framework (CTFMON) and the Cloud Files Mini Filter Driver that can be abused by an authorized attacker to elevate privileges locally and gain SYSTEM access.

When asked about RoguePlanet, a Microsoft spokesperson told The Register that the Windows giant is “aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims.”

The spokesperson continued: “Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible. Importantly, we support coordinated vulnerability disclosure, an industry standard that protects customers and supports the research community by ensuring their findings are thoroughly investigated and addressed before being made public.”

Soon after Nightmare published a PoC for RoguePlanet, the ThreatLocker threat intelligence team validated the exploit code and said that they were “actively assessing impact, affected systems, and additional mitigations,” promising to share more findings “as they become available.”

Tharros Labs senior vulnerability analyst and long-time respected security sleuth Will Dormann said he tested the exploit code, too. “It’s reportedly not 100% reliable, but it worked on the first attempt for me,” Dormann wrote. 

Nightmare, for their part, rolled back the promise of a “bone shattering” drop on July 14. 

“(Un)fortunately I will be unable to mass disclose zerodays in July 14th, RoguePlanet took way more time than expected and truly drained me,” the researcher said on Tuesday. “I might take a break but I can’t say for sure what I will be doing for next month, maybe it’s nothing, maybe it’s smtg. But the big thing is not happening. I did not intend to spread a mass panic with that post and I apologize for doing so.”®

Most robot vacuums promise to clean your home while you get on with your life, but the ones that actually deliver on that without constant babysitting are far rarer than the marketing would have you believe.

The Shark AI Ultra Robot Vacuum with Self-Empty XL Base is one that genuinely earns that claim, and right now it is down 35% from $448.00 to $289.99, saving you $158.01 on a robot that is built to run without you thinking about it.