An Update on the Windows Server 2003 Vulnerability Count


A few weeks back, I posted an article about some of the progress we had made after 292d of the release of Windows 2000 and Windows Server 2003. One criticism I have heard of these figures is that we measured security bulletins differently in Windows 2000 and Windows Server 2003. In the days of Windows 2000 we only had three ratings: Critical, Moderate and Low; and during the Windows XP and later timeframe we introduced a fourth level – Important, which sits in between Critical and Moderate. So I want to be clear about something – when we calcualted the Windows 2000 stats, we applied the same rules as we would have applied if all four levels were in place. In short, we re-evaluated the Windows 2000 bulletins in that 292d time period and determined if each issue was critical, important, moderate or low. No trickery. No fun and games. Just an objective analysis using the same Windows Server 2003 rules.


I hope that clears up an confusion!

Comments (8)

  1. Dana Epp's ramblings at the Sanctuary says:

    During WinHec today Bill Gates showed an interesting slide comparing the vulnerability count between Windows 2000 Server and Windows Server 2003 in the first 365 days. Verdict? 42 for W2K, 13 for WS2K3. Michael also posted an update on the Windows Server 2003 vulnerability count. Michael says that in the days of Windows 2000 Microsoft only had three ratings: Critical, Moderate and Low; and during the Windows XP and later timeframe they introduced a fourth level – Important, which sits in between Critical and Moderate. When they calcualted the Windows 2000 stats, they applied the same rules as they would have applied if all four levels were in place. In short, they re-evaluated the Windows 2000 bulletins in that time period and determined if each issue was critical, important, moderate or low. No trickery. No fun and games. Just an objective analysis using the same Windows Server 2003 rules. So there you have it. No conspiracy theory here. And from Bill Gates’ slide you can see the difference since Microsoft introduced SD3+C into their operating systems….

  2. Thanks Michael ๐Ÿ™‚