Hi Steve,

I have to agree with you (not that it hurts or anything) about the security point - falling in the middle between immediate disclosure and no disclosure. However, a month is too short. Before you get all excited let me explain. First, I don't really know when the clock begins on the month. Validating a security concern can sometimes take a fair amount of time - especially if it's complex. Once the issue has been verified to be real it can take significant time to architect a fix. We'd all like to think that companies are full of the brightest minds, and many of them are, but security related problems can be very challenging to address. You need to be sure that you're not blowing customers out of the water by making the ramifications of applying the fix enormous. In addition, you need to be sure you're not opening up another security hole. Once the fix has been architected and coded it needs to be tested. Again, this takes time. And we want it to take time so we're sure the fix is good under stress. If you start the clock after the issue has been verified I'd be more likely agree with you. However, if you start the clock as soon as it's reported to the company we're going to have a problem.

I work on SQL Server and I'm proud of our track record. We do a lot of things right and we spend time thinking through the customer impact. We absolutely do not sit on security vulnerabilities and work incredibly hard to get the fix out as soon as possible. But the worse thing for us would to be in a situation where we were forced to get a fix out - a situation that would probably lead to us having to "fix" the issue multiple times or releases subsequent fixes that address new issues caused by the first fix.

Customers need to be confident enough in the fix to apply it right away. So long as we continue to release solid fixes they'll deploy them. But if the system causes bad behavior and bad fixes everyone looses.

Cheers,

Dan