Security Update Guide FAQs
The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.
Microsoft has made the strategic decision to follow the CVRF Industry Standard for vulnerability reporting. You can learn more about CVRF and review the data schema at http://www.icasi.org/cvrf/
The Security Update Guide is now the definitive source for new security update information. To help customers transition to the new model, Microsoft published traditional security bulletins as individual webpages during the preview period. Existing bulletins will be preserved.
Yes. Previously published traditional security bulletin webpages will remain online.
In the Security Update Guide, you can group related updates by combining the date filter with Product Category filter. You can then download the results to CSV.
The monthly security release summary webpages will not be published monthly after the conversion to the Security Update Guide. However, there is a Monthly Summary Page in the Security Update Guide here: https://portal.msrc.microsoft.com/en-us/security-guidance/summary
Yes. Microsoft will publish security update release details in the Security Update Guide in the same languages as are currently supported with traditional security bulletin webpages.
The API is documented (including code snippets) on the Developer tab of the Security Update Guide.
Microsoft will continue publishing security advisories using the current publication model.
Yes. You can find acknowledgements in the CVE Detail sections of the Security Update Guide. You can also see a list of all Acknowledgements here: https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments
Microsoft will no longer use bulletin ID numbers for documenting new security updates in the Security Update Guide. Bulletin ID numbers and bulletin webpages for security updates released as bulletins will be maintained.
We will add the functionality to sign up to receive notifications when new data is added to the Security Update Guide or when there are revisions to existing data.
Microsoft Patch Management tools will be updated as needed to ensure that these tools will continue to work correctly with the new Security Update Guide.
We are working with companies that provide management tools to adjust their products to work with the new Security Update Guide. Microsoft cannot guarantee that all third-party software will work in the future.
Yes. Information provided in the new Security Update Guide is on par with the set of details available in traditional security bulletin webpages.
The historical bulletin search spreadsheets will continue to be available online. With the new Security Update Guide, you can use the dashboard to create similar spreadsheets that relate individual CVEs to affected software. The columns relevant to bulletins specifically will be removed.
The preview version of the Portal will automatically save the search settings that you last used.
To use the API you must first log in with a Microsoft ID. The first time that you use the API you must create a key. It will be saved for subsequent uses.
The Security Update Guide dashboard is available without logging in. If you click the Developer tab to access the API, you’ll be prompted to log in to your Microsoft account.
Thanks! You can post suggestions on the Security Update Guide Q&A forum.