There has been a lot of focus lately on the issue of why Microsoft is not downgrading the severity of vulnerabilities impacting Windows Vista. It all started from this statement belonging to Microsoft security guru, Michael Howard: "The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity. So don't be surprised if you see a bug that's, say, Important on Windows XP and Important on Windows Vista."

The fact that Windows Vista has additional security technologies and mitigations compared to Windows XP will not impact in any manner the severity rating of flaws across the two operating systems. So the Critical, Important, Moderate and Low severity ratings will still be valid for all Windows vulnerabilities, no matter the version name.

According to Howard, this is a decision of the Microsoft Security Response Center. And MSRC revealed that all operating systems will be treated equally. "Windows Vista will not be treated any differently, and severity ratings for any issues will be based on vulnerability traits and merits, along with technical mitigating factors," a MSRC representative told ComputerWorld. "This process is the same for all Microsoft products."

Howard himself commented on the fact that any security solution and technology is but a temporary solution that will eventually be circumvented. In the end, if the Windows code is flawed, additional security mitigations will not downgrade the severity rating of vulnerabilities in Windows Vista.

You also have to take into consideration the fact that Microsoft is targeting the reduction of critical vulnerabilities in Windows Vista from 30% to 50% in comparison with Windows XP. Artificially downgrading the severity rating of Vista flaws will only create a wave of criticism and diminish the operating system's impact in terms of security.