Skip to main content

Security Update Guide dashboard and API:
Frequently Asked Questions

A note on terminology:throughout the FAQ, the terms “security bulletin” or “bulletin” refer to the security bulletin webpages that Microsoft has published each month since 2004, such as Microsoft Security Bulletin MS16-142 – Cumulative Security Update for Internet Explorer.

Q: Why is the security bulletin ID number (e.g. MS16-XXX) not included in the new Security Update Guide?

A: The way Microsoft documents security updates is changing. The previous model used security bulletin webpages and included security bulletin ID numbers (e.g. MS16-XXX) as a pivot point. This form of security update documentation, including bulletin ID numbers, is being retired and replaced with the Security Update Guide. Instead of bulletin IDs, the new guide pivots on vulnerability ID numbers and KB Article ID numbers.

Q: I’m not familiar with the CVRF format mentioned on the Developer page. What is this format and where can I get more information about it?

A: : Microsoft has made the strategic decision to follow the CVRF Industry Standard for vulnerability reporting. You can learn more about CVRF and review the data schema at http://www.icasi.org/cvrf/

Q: I have update processes built around the traditional security bulletin model. How soon will the Security Update Guide replace traditional security bulletins?

A: The Security Update Guide is now the definitive source for new security update information. To help customers transition to the new model, Microsoft published traditional security bulletins as individual webpages during the preview period. Existing bulletins will be preserved.

Q: Will the previously published security bulletin webpages remain available?

A: Yes. Previously published traditional security bulletin webpages will remain online.

Q: Microsoft currently groups related security updates in the form of the traditional security bulletin webpages. I use these groupings to communicate security updates to my various patch deployment teams. Using the new Security Update Guide dashboard model, how can I group related updates?

A: In the Security Update Guide, you can group related updates by combining the date filter with Product Category filter. You can then download the results to CSV.

Q: I currently use the monthly security bulletin summary webpage (e.g. Microsoft Security Bulletin Summary for November 2016). Will these security release summary webpages continue to be available after the preview period ends, or will something similar be offered in the new Security Update Guide?

A: The monthly security release summary webpages will not be published monthly after the conversion to the Security Update Guide. However, there is a Monthly Summary Page in the Security Update Guide here: https://portal.msrc.microsoft.com/en-us/security-guidance/summary

Q: Will the Security Update Guide be released in languages other than English?

A: Yes. Microsoft will publish security update release details in the Security Update Guide in the same languages as are currently supported with traditional security bulletin webpages.

Q: Where can I learn more about the API for the Security Update Guide, and how to use it?

A: The API is documented (including code snippets) on the Developertab of the Security Update Guide.

Q: How will the publication of traditional security advisory webpages (e.g. Microsoft Security Advisory 3181759 - Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege) be affected by this transition to the new Security Update Guide?

A: Microsoft will continue publishing security advisories using the current publication model.

Q: Will Microsoft continue to publish acknowledgements of the researchers who reported a vulnerability?

A: Yes. You can find acknowledgements in the CVE Detail sections of the Security Update Guide. You can also see a list of all Acknowledgements here: https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments

Q: What will happen to security bulletin ID numbers?

A: Microsoft will no longer use bulletin ID numbers for documenting new security updates in the Security Update Guide. Bulletin ID numbers and bulletin webpages for security updates released as bulletins will be maintained.

Q: Will new updates released, or revisions in the Security Update Guide trigger a notification in the same way that a security bulletin revision triggers a notification to customers today (via Microsoft Technical Security Notifications)?

A: We will add the functionality to sign up to receive notifications when new data is added to the Security Update Guide or when there are revisions to existing data.

Q: Will Microsoft continue to provide notification for out-of-band security update releases?

A: Yes.

Q: I am using Microsoft Patch management software such as WSUS or SCCM. How will those tools be affected by security bulletin deprecation?

A: Microsoft Patch Management tools will be updated as needed to ensure that these tools will continue to work correctly with the new Security Update Guide.

Q: I am using 3rd party management tools. Will there be any impact on those products?

A: We are working with companies that provide management tools to adjust their products to work with the new Security Update Guide. Microsoft cannot guarantee that all third-party software will work in the future.

Q: Will all the details we see currently on security bulletin webpages also be supported in the new Security Update Guide?

A: Yes. Information provided in the new Security Update Guide is on par with the set of details available in traditional security bulletin webpages.

Q: Will there be any change on the bulletin data Excel sheet?

A: The historical bulletin search spreadsheets will continue to be available online. With the new Security Update Guide, you can use the dashboard to create similar spreadsheets that relate individual CVEs to affected software. The columns relevant to bulletins specifically will be removed.

Q: Will there be any change to the My Bulletin portal? ( http://mybulletins.technet.microsoft.com/)

A: Yes. The MyBulletins webpage will no longer be supported after the Security Update Guide is out of preview.

Q: Can I save my filter condition?

A: The preview version of the Portal will automatically save the search settings that you last used.

Q: Are there any prerequisites for using the API?

A: To use the API you must first log into TechNet with a Microsoft Live ID. The first time that you use the API you must create a key. It will be saved for subsequent uses.

Q: Do I need to be logged into my Microsoft account to use the Security Update Guide dashboard and API?

A: The Security Update Guide dashboard is available without logging into TechNet. If you click the Developer tab to access the API, you’ll be prompted to log in to your Microsoft account.

Q: I have suggestions for how to improve the portal. Where should I send them?

A: Thanks! You can post suggestions on the Security Update Guide Q&A forum.

MSRC Blog

SRD Blog