Being more open and honest with security researchers and our customers about the standards we use to decide when to address a reported vulnerability through e-security updates is one of our objectives at the Microsoft Security Response Center ( MSRC ). As the threat landscape changes over time, we think that increasing transparency on this subject facilitates constructive dialogue, clarifies how we evaluate risk, and sets expectations for the kinds of vulnerabilities we intend to address. In the end, we think this makes it possible for us to collaborate and better safeguard Microsoft’s clients.
In order to achieve this, in June 2018, we published a draft of the Windows security servicing criteria. To make this criteria more clear, we used some excellent feedback from the research community and the larger security industry. We are pleased to announce the release of the Windows security servicing criteria ‘ initial version today. We anticipate that this will be an evolving living document and that we will keep in touch with the community about it.
Microsoft Security Servicing Criteria for WindowsMicrosoft Windows Vulnerability Severity Classification
To continue the conversation, kindly contact us at [email protected] or @msftsecresponse on Twitter.
We want to thank all of our Microsoft partner teams for their assistance in developing and enhancing this criteria ‘ clarity.
Microsoft Security Response Center ( MSRC ) employee Nate Warfield