Microsoft said Monday it has “no intention to pursue action” against security researchers who uncover vulnerabilities and publish their findings, days after an official blog post sparked a backlash from the security community.

The post had condemned a recent series of uncoordinated Windows zero-day releases as “never justifiable” and said the company's Digital Crimes Unit would “continue bringing cases against” those enabling criminal actors.

While Microsoft stopped short of naming or directly threatening Nightmare Eclipse — the pseudonymous researcher behind the disclosures — the disclosures themselves were described as having created “unnecessary risk,” and Microsoft’s language was perceived as a threat.

The post drew criticism from the security community, with many researchers expressing sympathy for Nightmare Eclipse’s grievances against Microsoft, including the researcher’s allegation the company deleted their Microsoft Security Response Center account, withheld bounty payments and removed their attribution from at least one advisory.

In the new statement — shared on social media rather than its official blog — Microsoft said it is taking the feedback seriously, adding: “To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research.”

It added the caveat: “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”

Microsoft acknowledged failures in its own handling of researcher relationships, stating “some interactions have fallen short” and that it is “working to learn” from those incidents. The statement did not directly address Nightmare Eclipse’s specific allegations.

The new statement also drops the phrase “responsible disclosure,” which appeared four times in the original post. Microsoft instead refers to “Coordinated Vulnerability Disclosure” — the term it adopted in 2010 specifically to avoid the implication that researchers who do not comply are behaving irresponsibly.

Katie Moussouris, who as a Microsoft employee helped retire the earlier term, had singled out its reappearance in last week’s post as “loaded,” writing on Bluesky that “no vendor uses that term unless they want to call someone irresponsible.”

Microsoft said: “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together.

“We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”

In a post on their blog, Nightmare Eclipse said that following “recent events” other researchers had approached them and in some cases provided vulnerabilities directly. They announced a new Secure Boot vulnerability would be released sometime in June. They said the bug “fully bypasses BitLocker” and may be usable to compromise confidential virtual machines.

Microsoft did not respond to a request for comment before publication.