Forum - Microsoft Explains How it Decides Whether a Vulnerability Will Be Patched Swiftly or Left For a Version Update
News Fetcher
Joined: Oct 24 2009
Last Active: Never/Not tracked
Total Active: Never/Not tracked
Timezone: GMT+ -7
134659 posts
Last Page Viewed:
Post 147223       June 13 '18 at 08:00 AM
By msmash from Slashdot's behind-the-scene department:
Microsoft has published a new draft document clarifying which security bugs will get a rapid fix and which it will let stew for a later release. From a report: The document outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update. Microsoft said in a blogpost the document is intended to offer researchers "better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them." The criteria revolve around two key questions: "Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?"; and, "Does the severity of the vulnerability meet the bar for servicing?" If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.