An Update on the Windows Server 2003 Vulnerability Count

A few weeks back, I posted an article about some of the progress we had made after 292d of the release of Windows 2000 and Windows Server 2003. One criticism I have heard of these figures is that we measured security bulletins differently in Windows 2000 and Windows Server 2003. In the days of Windows 2000 we only had three ratings: Critical, Moderate and Low; and during the Windows XP and later timeframe we introduced a fourth level - Important, which sits in between Critical and Moderate. So I want to be clear about something - when we calcualted the Windows 2000 stats, we applied the same rules as we would have applied if all four levels were in place. In short, we re-evaluated the Windows 2000 bulletins in that 292d time period and determined if each issue was critical, important, moderate or low. No trickery. No fun and games. Just an objective analysis using the same Windows Server 2003 rules.

I hope that clears up an confusion!