Microsoft Security Servicing Criteria for Windows (original) (raw)

Our commitment to protecting customers from vulnerabilities in our software, services, and devices includes providing security updates and guidance that address vulnerabilities when they are reported to Microsoft. We also want to be transparent with security researchers and our customers in our approach. This document helps to describe the criteria the Microsoft Security Response Center (MSRC) uses to determine whether a reported vulnerability affecting up-to-date and currently supported versions of Windows may be addressed through servicing or in the next version of Windows. For vulnerabilities in Windows, servicing takes the form of a security update or applicable guidance, most commonly released on Update Tuesday (the second Tuesday of each month).

Security Servicing Criteria

The criteria used by Microsoft when evaluating whether to provide a security update or guidance for a reported vulnerability involves answering two key questions:

  1. Does the vulnerability violate the goal or intent of a security boundary or a security feature?
  2. Does the severity of the vulnerability meet the bar for servicing?

If the answer to both questions is yes, then Microsoft’s intent is to address the vulnerability through a security update and/or guidance that applies to affected and supported offerings where commercially reasonable. If the answer to either question is no, then by default the vulnerability will be considered for the next version or release of Windows but will not be addressed through a security update or guidance, though exceptions may be made.

This document addresses the most commonly reported vulnerabilities, but as security is an ever-evolving landscape there may be vulnerabilities that are not covered by this criteria or the criteria may be adapted due to changes in the threat landscape. Microsoft addresses vulnerabilities based on the risk they pose to customers and may at any time choose to address, or not address, reports based on the assessed risk.

Security boundaries and features Microsoft intends to service

Microsoft’s software, services, and devices rely on a number of security boundaries and security features, as well as the security of the underlying hardware on which our software depends, in order to achieve our security goals.

Security boundaries

A security boundary provides a logical separation between the code and data of security domains with different levels of trust. For example, the separation between kernel mode and user mode is a classic and straightforward security boundary. Microsoft software depends on multiple security boundaries to isolate devices on the network, virtual machines, and applications on a device. The following table summarizes the security boundaries that Microsoft has defined for Windows.