What I sent to Microsoft:

On June 27, 2014, in Security, by

Many years ago there was a security researcher who said the following: 

“Don’t lose sight of security. Security is a state of being,
 not a state of budget. He with the most firewalls still does
 not win. Put down that honeypot and keep up to date on
 your patches. Demand better security from vendors and
 hold them responsible. Use what you have, and make
 sure you know how to use it properly and effectively.

 And above all else, don’t abuse or take for granted sources of help and
 information.  Without them, you might find yourself lost or
 ~Rain Forest Puppy

While he has gone on to other things, that last part has always stuck with me.  Don’t take for granted sources of help and information.  Without them, us, the good guys, will be lost.

Getting rid of the email notifications of security information is impacting me, one of the good guys.  It’s how I communicate to over 5,000 IT administrators on a patchmanagement listserve that it’s time to send out updates.  It’s how I get alerted to when there are security advisories.  And any other changed to bulletins.  It makes me go look and understand what my risks are.  Taking this away and attempting to replace it with RSS feeds means you just damaged not only me, but countless number of Enterprises the world over that also rely on this mechanism to be alerted to changes in the security ecosystem.

While I do use RSS feeds, there is nothing that quite takes the place of an email.

So may I ask on behalf of the community of the good guys that you reconsider this decision of yours to suspend the use of email notifications of

* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins

And give us, the good guys, the ability to opt into such communication and waive any and all governmental policies you think are impacted by this communication.

Susan Bradley


Title: Microsoft Security Notifications
Issued: June 27, 2014

Notice to IT professionals:

As of July 1, 2014, due to changing governmental policies concerning
the issuance of automated electronic messaging, Microsoft is
suspending the use of email notifications that announce the

* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins

In lieu of email notifications, you can subscribe to one or more of
the RSS feeds described on the Security TechCenter website.

For more information, or to sign up for an RSS feed, visit the
Microsoft Technical Security Notifications webpage at
http://technet.microsoft.com/security/dd252948 .

Other Information

Follow us on Twitter for the latest information and updates:

Recognize and avoid fraudulent email to Microsoft customers:
If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.

The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, it is not required to read
security notifications, security bulletins, security advisories, or
install security updates. You can obtain the MSRC public PGP key at

To receive automatic notifications whenever Microsoft Security
Bulletins and Microsoft Security Advisories are issued or revised,
subscribe to Microsoft Technical Security Notifications on


3 Responses to What I sent to Microsoft:

  1. Paul Husted says:

    They don’t have much of a choice. As of July 1, Canada does not permit unsolicited email to be sent unless the recipient has explicitly reauthorized such emails. It has to be an explicit opt-in.

  2. bradley says:

    Not buying it. I opted into emails. I live in the USA. Sorry not accepting that they don’t have a choice. They do.

  3. Indy says:

    E-mail has been kicking and screaming its way to death for decades now. Good riddance. There are only 10+ other ways to get these notifications, and half of those are spam-phish free and using secure protocols.

    Your anti-spam filter is nigh-near-impossible to properly enter, also.