The monthly security update process, driven by the Trustworthy Computing Group, is one of the most visible components of Security Response at Microsoft.
Our software developers follow the Microsoft Security Development Lifecycle (SDL), the most comprehensive and effective software security assurance process in the industry to help build software with fewer, less severe, vulnerabilities. However, as with any major software product, vulnerabilities may be discovered in the product code. Once a vulnerability is reported, we begin to investigate and, if necessary, work with the product team to develop a security update that addresses the vulnerability. After extensive testing, we release these security updates publicly on the second Tuesday of each month.
We introduced our monthly release cycle in September 2003, providing customers with the following benefits:
A predictable schedule that helps customers plan for security update deployments.
A reduced number of updates, combining issues when possible.
Improved overall quality of security bulletins, which, coupled with the predictable release schedule, allows customers to employ a more refined production and testing process.
In 2005, we built comprehensive testing into our development process when we introduced the Security Update Validation Program (SUVP), allowing us to test security updates in customer lab environments.
We launched the Advance Notification Service (ANS) that same year, to provide customers with information describing affected products days before the release. ANS helps IT professionals prepare a deployment plan.
In 2008, the Exploitability Index was introduced which predicts whether a vulnerability might be exploited for remote code execution within 30 days after a bulletin is issued. At that time, we also began publishing more technical details about the monthly security bulletins to the Security Research & Defense (SRD) team blog.