Skip to main content

Acknowledgment Policy for Microsoft Security Bulletins

Updated: January 26, 2000

If you've read Microsoft Security Bulletins, you're no doubt familiar with the acknowledgment section that appears in most bulletins. Effective January 01, 2000, Microsoft will begin following a new policy regarding acknowledgments in security bulletins. We would like to ensure that customers understand the new policy and recognize the service that the security professionals being acknowledged are providing to the community.

Microsoft is committed to protecting customers' information, and the Microsoft Security Response Center is the most visible proof of this commitment. The Response Center investigates all reported security vulnerabilities in Microsoft products. When we find a vulnerability, we develop a patch as quickly as possible and broadly disseminate information about the vulnerability, the risk it poses, and what customers can do to protect themselves against it.

However, to do this we need the help of the people who discover security vulnerabilities. No vendor can develop security patches overnight. Microsoft products run on thousands of different manufacturers' hardware, in millions of different configurations, and in conjunction with countless other applications. Our patches must operate correctly on every single machine. This is a significant engineering challenge under any conditions, but it is even more difficult when details of a vulnerability have been made public before a patch can be developed. In such cases, speed must become our primary consideration, in order to protect our customers against malicious users who would exploit the vulnerability.

The responsibility for Microsoft's products rests with Microsoft alone, and we take that responsibility very seriously. However, there has traditionally been an unwritten rule among security professionals that the discoverer of a security vulnerability has an obligation to give the vendor an opportunity to correct the vulnerability before publicly disclosing it. This serves everyone's best interests, by ensuring that customers receive comprehensive, high-quality patches for security vulnerabilities but are not exposed to malicious users while the patch is being developed. Once customers are protected, public discussion of the vulnerability is entirely in order, and helps the industry at large improve its products.

Many security professionals follow these practices, and Microsoft wants to single them out for special thanks. The acknowledgment section of our security bulletins is intended to do this. When you see a security professional acknowledged in a Microsoft Security Bulletin, it means that they reported the vulnerability to us confidentially, worked with us to develop the patch, and helped us disseminate information about it once the threat was eliminated. They minimized the threat to customers everywhere by ensuring that Microsoft could fix the problem before malicious users even knew it existed.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.