Security Communications

The goal of security-related communications is twofold: to ensure that customers know about vulnerabilities and patches in a timely manner and to ensure they know how to use Microsoft products securely.

What Is Microsoft Doing?

Since the initiation of the SD3+C framework, Microsoft has tried to improve the way it communicates security-related information, including improving the security bulletin system, running a Protect Your PC campaign, and providing prescriptive guides on implementing good security practices.

Security bulletins. Prior to Trustworthy Computing, learning about vulnerabilities and patches was difficult. Since the initiative began, Microsoft has improved security bulletins to provide complete information about vulnerabilities, including which products are affected, why the vulnerability exists, any workarounds to mitigate its impact, and how to obtain and install any patches. Two styles of bulletins are provided: one targeting computer professionals and one targeting consumers who might be overwhelmed by technical details and merely want to know how to patch the vulnerability. Microsoft also instituted a security bulletin rating system so that users know the risk associated with each reported vulnerability. (See the chart “Microsoft Security Bulletin Rating System“.) The company has also been extremely open about acknowledging who found and reported the vulnerability.