Someone looking at the number of bulletins being issued by Microsoft these days would find it hard to believe that the number of exploitable vulnerabilities has actually been reduced. That is something you can fairly say we ought to do more with. Today, if a vulnerability is present in Windows 7 but is mitigated by address space randomization and data execute protection we are still going to issue a bulletin. Our practice today is not even to reduce the severity [of the vulnerability] based on those mitigations. So you can say we need to do a better job of analyzing the impact of the mitigations, but we are continuing to progress on that front.
So, the message is don't judge the SDL by the number of flaws being disclosed? Don't evaluate the SDL just by the gross number of bulletins that are being issued month to month. From our perspective, we are very confident that we have made a lot of progress over the past seven-plus years since we started the Windows security pushes.
But we are not done yet, and we are continuing to improve the SDL. We are continuing to innovate on security science to try and make our products better. There are certainly no inherent limits we have encountered yet.