Microsoft Pledges Not to Pursue Researchers After Zero-Day Complaint

Microsoft said it has no intention of pursuing legal action against individuals conducting or publishing security research, after the company drew criticism for its handling of a recent zero-day vulnerability disclosure.

The statement, released hours after the backlash mounted, aims to reset relations with the security research community. It offers reassurance that researchers publishing findings will not face legal threats from the tech giant. The pledge does not, however, apply to malicious hacking or criminal exploitation of discovered flaws.

Tensions arose when Microsoft appeared to object to a researcher's public disclosure of a zero-day vulnerability before the company issued a patch. Critics argued the move chilled responsible disclosure practices. Microsoft now says it is “taking the feedback seriously” and will not retaliate against good-faith research.

While the company has long maintained a bug bounty program for coordinated disclosure, it had not previously offered such an explicit general protection for publication of research. The pledge comes as cybersecurity experts increasingly call for legal safe harbors for vulnerability researchers.

The policy change applies to all security research published in good faith, including public disclosure. However, it remains unclear whether the pledge will be codified into an enforceable company policy or remains a temporary assurance amid the current controversy.