This is the Trace Id: 441f33eb4eecc067b4984aa990722030
Skip to main content
MSRC

The research never stops: Zhiniang Peng’s security research story

Zhiniang Peng

Some security researchers discover hacking early. Others discover it accidentally. For Zhiniang Peng, it started with curiosity and cybersecurity magazines.

Growing up in China, computers and the internet were already part of daily life by the time he was in middle school. But Zhiniang’s deep dive into cybersecurity didn’t begin online. It began with Chinese‑language cybersecurity magazines. Around age 13, he started reading everything he could find about computers, programming, and hacking. Those magazines became his gateway into security research. Those magazines did more than teach him. They pulled him into a community.

By his second year of middle school, Zhiniang was not only reading about security, he was writing about it. He submitted articles, experimented on his own, and soon found himself interviewed by local newspapers and well‑known cybersecurity publications in China. Word spread quickly. Before long, people in the local security community knew who he was, not because of a title or a degree, but because of the work.

In high school, Zhiniang began taking on real security work. Because of the relationships he had built in the security community, companies reached out to him directly, asking if he could help with penetration testing and source code auditing. It became his first hands‑on experience in professional cybersecurity, one he balanced carefully alongside school, knowing academics still came first.

After high school, Zhiniang enrolled at South China University of Technology. He initially studied material science as part of a long‑term PhD track, a decision shaped by family expectations and the academic options available at the time. But security never left him. While officially studying materials, he gravitated toward computer science, helping fix bugs, working on campus network issues, and building strong relationships with professors teaching cryptography and network security.

Eventually, he pivoted fully into computer science and went on to complete a PhD focused on post‑quantum cryptography. It was a demanding journey that required years of deep theoretical work. During that time, he felt the pressure many researchers experience, watching peers enter industry while he remained a student. Still, his persistence paid off, and once his research stabilized, he returned to hands‑on security work.

Zhiniang first worked with MSRC in 2016, long before today’s reporting workflows existed. There was no submission portal at the time and reports were sent by email, but the collaboration stuck.

Over the years, that relationship grew into something remarkable. Since he began hunting on Microsoft products in earnest, Zhiniang has submitted hundreds of reports and earned hundreds of CVEs, reflecting a long-standing collaboration with MSRC.

Part of what drew him to Microsoft was familiarity. He uses Windows and Azure daily and believes that deep understanding of a platform makes better research possible. Part of it was scale, since research on widely used products creates real‑world impact. And part of it was the strength of the bounty program itself, which values thoughtful, high‑quality findings.

Just as importantly, Zhiniang enjoys learning from existing research. He studies published Windows vulnerabilities, reproduces them, and then pushes further, asking what else might be possible.

If you look closely at Zhiniang’s submissions, one thing stands out: many of them are collaborative.

While completing his PhD, Zhiniang helped organize CTF teams at his university, mentoring undergraduates who were just discovering security. Over time, those students became research partners and, in some cases, long‑term collaborators who have worked alongside him for seven or eight years. Today, Zhiniang is a professor himself, and mentoring remains central to his work. He actively looks for people who love cybersecurity, teaches them, and brings them into real research.

Zero Day Quest and what comes next

Zero Day Quest pushed Zhiniang out of his comfort zone, and that was exactly what made it meaningful.

Historically, his work focused heavily on Windows security. During the on‑site phase of Zero Day Quest, however, many participants were researching Azure, cloud services, and emerging technologies. To compete, he had to adapt quickly.

That meant learning new attack surfaces, working in live online environments instead of source‑only analysis, and rethinking how vulnerability research applies to modern, online systems. The challenge was not just technical; it required a shift in mindset.

The experience reinforced something Zhiniang strongly believes: security research must evolve alongside technology.

When asked what excites him most about the future, he does not point to a past discovery. Instead, he talks about what comes next. He is particularly interested in finding bugs in AI‑driven systems and in using AI to empower security research. He believes AI will fundamentally change computing, and that as operating systems become more agentic, AI will become a critical attack surface.

Outside of security research, Zhiniang enjoys traveling and spending time outdoors. He likes skiing, hiking, swimming, fishing, and exploring new places. He has visited Seattle multiple times and is especially fond of the region’s natural beauty, hoping to explore more on future visits.

If you ask Zhiniang about his proudest vulnerability, he will not name one.

For him, the most exciting bug is always the next one.