Video: When it comes to malware, Windows 10 is twice as secure as Windows 7.
Microsoft has published a new draft document clarifying which security bugs will get a rapid fix and which it will let stew for a later release.
The document[1] outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update.
Microsoft said[2] in a blogpost the document is intended to offer researchers "better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them."
The criteria revolve around two key questions: "Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?"; and, "Does the severity of the vulnerability meet the bar for servicing?"
If the answer to both questions is 'yes', the bug will be patched in a security update, but if the answer to both is 'no', the vulnerability will be considered for the next version or release of the affected product or feature.
SEE: Windows 10 April 2018 Update: An insider's guide (free PDF)[3]
That bar for servicing is defined by Microsoft's severity rating system, which aims to help customers understand the risk of each vulnerability it patches. These are Critical, Important, Moderate, Low, and None.
"If a vulnerability is rated as Critical or Important, and the vulnerability applies to a security boundary or security feature that has a servicing commitment, then the vulnerability will be addressed through a security update," the draft states.
Microsoft lists eight types of security