Recently, Microsoft has released two documents revealing how they classify cybersecurity bugs. These documents were put together by Microsoft Security Response Center.
Even though an early version of the documents was released in June, the new one is much more information-packed.
Microsoft places the cybersecurity bugs in one of the following categories:
– Security features
– Security boundaries
– Defence-in-depth security features
To shed a bit more light on these, security boundaries are essentially what Microsoft considers to be violations of data access policies. Security features are bug reports that reinforce them. The final category listed above refers to security features that aren’t as robust as the first two, and mostly have to do with features that provide additional security. These are not typically serviced in the Patch Tuesday updates.
In a PDF file that was released not too long ago, Microsoft describes how they classify bug report security rankings. Depending on their severity, this is how they go:
To get a better feel for what goes where, here’s an example:
Let’s say there is a cybersecurity bug that grants access the file system. Such a bug would be considered Critical. On the other hand, a denial of service bug that merely restarts an application would be classified as low risk.
All in all, the purpose of introducing these security rankings is to make things clearer for the cybersecurity researchers, system admins, media, and regular users.