Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Microsoft Security Windows

Microsoft Explains How it Decides Whether a Vulnerability Will Be Patched Swiftly or Left For a Version Update (zdnet.com) 45

Posted by msmash from the behind-the-scene dept.
Microsoft has published a new draft document clarifying which security bugs will get a rapid fix and which it will let stew for a later release. From a report: The document outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update. Microsoft said in a blogpost the document is intended to offer researchers "better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them." The criteria revolve around two key questions: "Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?"; and, "Does the severity of the vulnerability meet the bar for servicing?" If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.
This discussion has been archived. No new comments can be posted.

Microsoft Explains How it Decides Whether a Vulnerability Will Be Patched Swiftly or Left For a Version Update More

Microsoft Explains How it Decides Whether a Vulnerability Will Be Patched Swiftly or Left For a Version Update

Comments Filter:

  • If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.

    What if it's 1 yes and 1 no?

  • In use (Score:3)

    by AHuxley ( 892839 ) on Wednesday June 13, 2018 @10:56AM (#56777096) Journal
    by the NSA? FBI? Ongoing investigation?
  • ...we have some arbitrary promises about security and we evaluate each bug against those arbitrary promises. Oh, and we have no legal liabilities or requirements to do anything, so you have no recourse so stop complaining.

  • Code (Score:4, Funny)

    by Anonymous Coward on Wednesday June 13, 2018 @11:08AM (#56777146)

    if (paying_customer) {
                  deploy_fix();
                  charge_customer_more();
    } else {
                  deploy_rushed_buggy_fix_and_let_customer_test();
    }

    if (can_make_more_money) {
                  do_not_deploy_fix();
    }

    if (issue_is_critical) {
                    deploy_fix_with_mandatory_telemetry_update();
                    add_more_data_exfiltration();
                    charge_customer_more();
    } else {
                  charge_customer_more_anyway();
                  add_more_data_exfiltration(0;
                  add_telemetry_update();
                  deauthorize_windows_just_for_fun();
    }

  • and i decided to upgrade it myself with Linux, buh bye microsoft spyware

  • Just substitute "operating system" for "car" .

    Narrator:
    A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

    Business woman on plane:
    Are there a lot o

Slashdot Top Deals

Genetics explains why you look like your father, and if you don't, why you should.

Close