Microsoft publishes Security Servicing Criteria for Windows, revealing how it classifies and tackles bugs
Microsoft has published documentation that reveals how is classifies the severity of vulnerabilities in Windows, as well as detailing how it decides whether problems should be addressed with a security patch or in the next version of Windows.
The first batch of documentation shows for the first time how Microsoft defines "the criteria around security boundaries, features and mitigations in Windows". In releasing details of its severity classifications -- something known as the bug bar -- the company says that it is offering a "new level of transparency with the research community and our customers".
- Malware writers exploit recent Windows Task Scheduler 0-day vulnerability
- 0patch beats Microsoft to patching Windows 10 task scheduler 0-day vulnerability
- Microsoft Windows task scheduler 0-day outed on Twitter
A draft version of Microsoft's servicing criteria was published back in June, but now the first version has been released. Microsoft says that this will be a "living document". The introduction to the Microsoft Security Servicing Criteria for Windows publication explains:
Our commitment to protecting customers from vulnerabilities in our software, services, and devices includes providing security updates and guidance that address vulnerabilities when they are reported to Microsoft. We also want to be transparent with security researchers and our customers in our approach. This document helps to describe the criteria the Microsoft Security Response Center (MSRC) uses to determine whether a reported vulnerability affecting up-to-date and currently supported versions of Windows may be addressed through servicing or in the next version of Windows. For vulnerabilities in Windows, servicing takes the form of a security update or applicable guidance, most commonly released on Update Tuesday (the second Tuesday of each month).
The company has also published the Microsoft Vulnerability Severity Classification for Windows, revealed on Twitter by security expert Nate Warfield:
Additionally, we're also releasing details on how we classify severities in Windows - aka our bug bar: https://t.co/IRfdVFzF9e. This project involved teams from across Microsoft and demonstrates a new level of transparency with the research community and our customers.— Nate Warfield | #WearAMask | #ScienceNotPolitics (@n0x08) September 10, 2018
A post on the Security Research & Defense blog explains why Microsoft feels it is important to share this information publicly:
One of our goals in the Microsoft Security Response Center (MSRC) is to be more transparent with security researchers and our customers on the criteria we use for determining when we intend to address a reported vulnerability through a security update. Our belief is that improving transparency on this topic helps provide clarity on how we assess risk, sets expectations for the types of vulnerabilities that we intend to service, and facilitates constructive dialogue as the threat landscape evolves over time. Ultimately, we believe this enables us all to work together to better protect Microsoft’s customers.