[German]In September 2018, Microsoft published new documents that describe in more detail the criteria according to which security updates for Windows are developed.
It hasn’t been the first time, that Microsoft revealed some criteria used to develop security updates.
Patch development guidelines (June 2018)
In a paper Microsoft Security Servicing Commitments (PDF document) that was still in draft stage, Microsoft revealed in June 2018 its decision chain for the development of security updates.
- Does the vulnerability violate a security limit or feature that Microsoft is committed to defending against attacks?
- Is the severity of the vulnerability so severe that it must be addressed immediately by releasing a security update?
If both questions are answered in the affirmative, Microsoft will start developing a security update and roll it out to the next patchday (Tuesday 2 of the month).
More Windows Security Servicing Criterias (Sept. 2018)
In new documents, Microsoft now provides insight into its security threat classification processes. A new article Microsoft Security Servicing Criteria for Windows seems to be the final version of the above draft Microsoft Security Servicing Commitments.
There Microsoft outlines the criteria according to which security measures are taken as soon as a vulnerability is discovered.
In a second PDF document Microsoft describes how they assigns severity to bug reports. The document reveals which bugs are classified as critical (e.g., a vulnerability allows unauthorized access to the file system), which are important, which bugs are ranked middle, and which are rated low risk. A denial of service error that only causes an application to restart is always considered low-risk. (via)