Microsoft says it will not pursue security researchers after zero-day backlash | The Record from Recorded Future News

Image: qso4you.com via Wikimedia Commons (CC-BY-SA-2.0)Alexander Martin<br>June 1st, 2026<br>Microsoft says it will not pursue security researchers after zero-day backlash<br>Microsoft said Monday it has “no intention to pursue action” against security researchers who uncover vulnerabilities and publish their findings, days after an official blog post sparked a backlash from the security community.<br>The post had condemned a recent series of uncoordinated Windows zero-day releases as “never justifiable” and said the company's Digital Crimes Unit would “continue bringing cases against” those enabling criminal actors.<br>While Microsoft stopped short of naming or directly threatening Nightmare Eclipse — the pseudonymous researcher behind the disclosures — the disclosures themselves were described as having created “unnecessary risk,” and Microsoft’s language was perceived as a threat.<br>The post drew criticism from the security community, with many researchers expressing sympathy for Nightmare Eclipse’s grievances against Microsoft, including the researcher’s allegation the company deleted their Microsoft Security Response Center account, withheld bounty payments and removed their attribution from at least one advisory.<br>In the new statement — shared on social media rather than its official blog — Microsoft said it is taking the feedback seriously, adding: “To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research.”<br>It added the caveat: “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”<br>Microsoft acknowledged failures in its own handling of researcher relationships, stating “some interactions have fallen short” and that it is “working to learn” from those incidents. The statement did not directly address Nightmare Eclipse’s specific allegations.<br>The new statement also drops the phrase “responsible disclosure,” which appeared four times in the original post. Microsoft instead refers to “Coordinated Vulnerability Disclosure” — the term it adopted in 2010 specifically to avoid the implication that researchers who do not comply are behaving irresponsibly.<br>Katie Moussouris, who as a Microsoft employee helped retire the earlier term, had singled out its reappearance in last week’s post as “loaded,” writing on Bluesky that “no vendor uses that term unless they want to call someone irresponsible.”<br>Microsoft said: “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together.<br>“We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”<br>In a post on their blog, Nightmare Eclipse said that following “recent events” other researchers had approached them and in some cases provided vulnerabilities directly. They announced a new Secure Boot vulnerability would be released sometime in June. They said the bug “fully bypasses BitLocker” and may be usable to compromise confidential virtual machines.<br>Microsoft did not respond to a request for comment before publication.

Cybercrime<br>Industry<br>News<br>Technology

Get more insights with the Recorded Future<br>Intelligence Cloud.

Learn more.

No previous article<br>No new articles

Alexander Martin<br>is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow at the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal on: AlexanderMartin.79

Briefs<br>Canadian man gets 33 years for using social media to coerce US children into sending sexual contentMay 28th, 2026<br>Chinese-speaking fraud gang could be stealing millions from 2026 World Cup fansMay 28th, 2026<br>Romanian national sentenced to more than 4 years for hacking Oregon government systemsMay 27th, 2026<br>Dutch police arrest man over cyber breach at Ajax football clubMay 27th, 2026<br>Ukraine probes teen suspect in cyber theft scheme targeting California online shoppersMay 20th, 2026<br>Discord migrates all users to end-to-end encryption by defaultMay 20th, 2026<br>7-Eleven confirms breach after ShinyHunters claimsMay 20th, 2026<br>Texas, Florida top list of states reporting millions of dollars lost through crypto ATMsMay 20th, 2026<br>GitHub confirms being hacked by TeamPCP, says customer data unaffectedMay 20th, 2026

Quantum Risk Explained

Hacking Embodied AI

Risk Scenarios for the US’s Strategic Pivot

Critical minerals and cyber operations

Evolution of Chinese-Language Guarantee Telegram Marketplaces