As mentioned previously, whilst no software is 100% secure, we are confident that Vista is the most secure and thoroughly tested version of Windows we have ever produced. Our customers expect and deserve a computing experience that is safe, private and reliable. Trustworthy Computing has fundamentally changed the way we develop and help our customers manage Microsoft software and services. Threats to security and privacy constantly evolve and the holistic nature of Trustworthy Computing highlights Microsoft’s commitment to facing this changing landscape. Microsoft cannot do this alone, and we will continue to partner and collaborate with industry, government and academia to better protect customers and adapt to evolving security threats.
In the past, Microsoft's security headaches were coming from full disclosure lists where researchers publicly disclosed vulnerabilities in Microsoft products without reporting them to the company. Today, the threat landscape is changing with 0-day vulnerabilities in Windows Vista being sold to the highest bidder and not reported at all. How does Microsoft deal with this problem?
Due in part to recent reports of security vulnerabilities in a wide range of software, security is a growing concern for more and more computer users every day.
The industry is responding in part by seeking new opportunities to improve the way that security information is gathered and shared to protect customers while not aiding attackers.
Microsoft is aware of iDefense offering compensation for information regarding security vulnerabilities. Microsoft does not offer compensation for information regarding security vulnerabilities and does not encourage that practice. Our policy is to credit security researchers who report vulnerabilities to us in a responsible manner.
Since its inception, Microsoft Patch Tuesdays have been successful. Yet, many critical vulnerabilities are announced shortly after the batch of monthly patches. Shouldn't there be more frequent patch releases?
We investigate each security vulnerability report thoroughly to determine its impact to our customers. In combination with that investigation we also take a look at our engineering processes to help determine how we can best deliver a quality update to our customers within the consistent time frame that our customers have requested, which is currently on a monthly cycle.
There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update.
Every vulnerability presents its own unique challenges. We’ve been clear that bulletins can be released out-of-cycle, if necessary, to help protect customers if a level of awareness and malicious activity puts customers at risk in any way. In this case, the level of awareness and malicious activity around a vulnerability may prompt Microsoft to move to a release schedule that would deliver a fix as soon as one could be built and thoroughly tested.