THE BUGS MICROSOFT MAY NEVER FIX
While bugs affecting how Microsoft programs operate often have DIY workarounds, it’s not quite so easy to fix security flaws yourself.
In an attempt to explain its thought process behind fixing security bugs, Microsoft recently issued a draft document entitled Microsoft Security Servicing Commitments. In this, the company details the criteria it uses to determine whether a bug will be repaired and how soon.
It states that a bug will be fixed via a monthly or emergency security update if it both “violates a promise” Microsoft has made related to security and “meets the bar” in terms of severity. If the bug meets only one of the criteria, it’s likely the fix won’t arrive until the next version update. If neither criteria are met, the bug may never be fixed. In some cases, Microsoft gets others to do the work by offering a “bug bounty” of up to $15,000.
The document is aimed primarily at security researchers, but it’s interesting reading - not least because it explains why some security flaws take longer to fix than others. The full document is available at www.snipca.com/28180.