edited article, renamed article, updated TOC

MGoedtel · MGoedtel · commit 10de68f3827d · 2023-02-24T16:41:27.000-05:00
diff --git a/articles/aks/TOC.yml b/articles/aks/TOC.yml
@@ -72,6 +72,8 @@
       href: concepts-clusters-workloads.md
     - name: Security
       items:
+        - name: Vulnerability management
+          href: concepts-vulnerability-management.md
         - name: Security Baseline
           href: /security/benchmark/azure/baselines/aks-security-baseline?context=/azure/aks/context/aks-context
         - name: Container Security
@@ -100,8 +102,6 @@
       href: node-auto-repair.md
     - name: Multi-instance GPU Node pool
       href: gpu-multi-instance.md
-    - name: How Microsoft manages security patches for AKS
-      href: microsoft-manages-aks-security-patches.md
     - name: Service meshes
       href: servicemesh-about.md
     - name: Sustainable software engineering
diff --git a/articles/aks/concepts-vulnerability-management.md b/articles/aks/concepts-vulnerability-management.md
@@ -1,13 +1,15 @@
 ---
-title: Microsoft Security Patch Management for Azure Kubernetes Service
+title: Vulnerability Management for Azure Kubernetes Service
 titleSuffix: Azure Kubernetes Service
-description: Learn about how Microsoft manage security updates for Azure Kubernetes Service (AKS) clusters.
+description: Learn how Microsoft manages security vulnerabilities for Azure Kubernetes Service (AKS) clusters.
 ms.topic: conceptual
 ms.date: 02/24/2023
  
 ---
 
-# How Microsoft Manages Security Patches for Azure Kubernetes Service (AKS)
+# Vulnerability management for Azure Kubernetes Service (AKS)
+
+Vulnerability management involves detecting, assessing, mitigating, and reporting on any security vulnerabilities that exist in an organization’s systems and software. Vulnerability management is a shared responsibility between you and Microsoft.
 
 This article describes how Microsoft manages security vulnerabilities and security updates (also referred to as patches), for Azure Kubernetes Service (AKS) clusters.
 
@@ -25,9 +27,9 @@ Microsoft identifies and patches vulnerabilities and missing security updates fo
 
 ## AKS Container Images
 
-While the bulk of the code running in AKS is owned and maintained by the [Cloud Native Computing Foundation][cloud-native-computing-foundation] (CNCF), the Azure Container Upstream team takes responsibility for building the open-source packages that we deploy on AKS. This provides complete ownership of the build, scan, sign, validate, and hotfix process and control over the binaries in container images. By us having responsibility for building the open-source packages deployed on AKS, it enables us to both establish a software supply chain over the binary, as well as patch the software as needed.  
+While the [Cloud Native Computing Foundation][cloud-native-computing-foundation] (CNCF) owns and maintains the majority of code running in AKS, the Azure Container Upstream team takes responsibility for building the open-source packages that we deploy on AKS. With that responsibility, it includes having complete ownership of the build, scan, sign, validate, and hotfix process and control over the binaries in container images. By us having responsibility for building the open-source packages deployed on AKS, it enables us to both establish a software supply chain over the binary, as well as patch the software as needed.  
 
-Microsoft has invested in engineers (the Azure Container Upstream team) and infrastructure in the broader Kubernetes ecosystem to help build the future of cloud-native compute in the wider CNCF community. A notable example of this is the donation of engineering time to help manage Kubernetes releases. This work not only ensures the quality of every Kubernetes release for the world, but also enables AKS quickly get new Kubernetes releases out into production for several years. In some cases, ahead of other cloud providers by several months. Microsoft collaborates with other industry partners in the Kubernetes security organization, for example the Security Response Committee (SRC), receiving, prioritizing, and patching embargoed security vulnerabilities before they are announced to the public. This commitment ensures Kubernetes is secure for everyone, as well as enable AKS to patch and respond to vulnerabilities faster to keep our customers safe. In addition to Kubernetes, Microsoft has signed up to receive pre-release notifications for software vulnerabilities for products such as Envoy, container runtimes, and many other open-source projects.
+Microsoft has invested in engineers (the Azure Container Upstream team) and infrastructure in the broader Kubernetes ecosystem to help build the future of cloud-native compute in the wider CNCF community. A notable example of this is the donation of engineering time to help manage Kubernetes releases. This work not only ensures the quality of every Kubernetes release for the world, but also enables AKS quickly get new Kubernetes releases out into production for several years. In some cases, ahead of other cloud providers by several months. Microsoft collaborates with other industry partners in the Kubernetes security organization, for example the Security Response Committee (SRC), receiving, prioritizing, and patching embargoed security vulnerabilities before they are announced to the public. This commitment ensures Kubernetes is secure for everyone, and enables AKS to patch and respond to vulnerabilities faster to keep our customers safe. In addition to Kubernetes, Microsoft has signed up to receive pre-release notifications for software vulnerabilities for products such as Envoy, container runtimes, and many other open-source projects.
 
 Microsoft scans container images using static analysis to discover vulnerabilities and missing updates in Kubernetes and Microsoft-managed containers. If fixes are available, the scanner automatically begins the update and release process.
 
@@ -47,7 +49,7 @@ In addition to automated scanning, Microsoft discovers and updates vulnerabiliti
 
 Each evening, Linux nodes in AKS receive security patches through their distrobution security update channel. This behavior is automatically configured, as the nodes are deployed in an AKS cluster. To minimize disruption and potential impact to running workloads, nodes are not automatically rebooted if a security patch or kernel update requires it. For more information about how to handle node reboots, see [Apply security and kernel updates to nodes in AKS][apply-security-kernel-updates-to-aks-nodes].
 
-Nightly, we apply security updates to the OS on the node, but the node image used to create nodes for your cluster remains unchanged. If a new Linux node is added to your cluster, the original image is used to create the node. This new node receives all the security and kernel updates available during the automatic assessment performed every night, but remains unpatched until all checks and restarts are complete. You can use node image upgrade to check for and update node images used by your cluster. For more details on node image upgrade, see [Azure Kubernetes Service (AKS) node image upgrade][aks-node-image-upgrade].
+Nightly, we apply security updates to the OS on the node, but the node image used to create nodes for your cluster remains unchanged. If a new Linux node is added to your cluster, the original image is used to create the node. This new node receives all the security and kernel updates available during the automatic assessment performed every night, but remains unpatched until all checks and restarts are complete. You can use node image upgrade to check for and update node images used by your cluster. For more information on node image upgrade, see [Azure Kubernetes Service (AKS) node image upgrade][aks-node-image-upgrade].
 
 For AKS clusters on auto upgrade channel, a *node-image* doesn't pull security updates through the unattended upgrade process. They receive security updates through the weekly node image upgrade.
 
@@ -78,11 +80,11 @@ For the OS-based vulnerabilities in the VHD, AKS uses **Unattended Update** by d
 
 ## Update release timelines
 
-Microsoft's goal is to mitigate detected vulnerabilities within a time period appropriate for the risks they represent. AKS is included within [Microsoft Azure FedRAMP High][microsoft-azure-fedramp-high] Provisional Authorization to Operate (P-ATO), which requires that known vulnerabilities to be remediated within a specific time period according to their severity level as specified in FedRAMP RA-5d.
+Microsoft's goal is to mitigate detected vulnerabilities within a time period appropriate for the risks they represent. The [Microsoft Azure FedRAMP High][microsoft-azure-fedramp-high] Provisional Authorization to Operate (P-ATO) includes AKS in audit scope and has been authorized. FedRAMP Continuous Monitoring Strategy Guide and the FedRAMP Low, Moderate, and High Security Control baselines requires remediation of known vulnerabilities within a specific time period according to their severity level. As specified in FedRAMP RA-5d.
 
 ## How vulnerabilities and updates are communicated
 
-In general, Microsoft does not broadly communicate the release of new patch versions for AKS. However, Microsoft constantly monitors and validates available CVE patches to support them in AKS in a timely manner. If a critical patch is found or user action is required, Microsoft will [notify you to upgrade to the newly available patch][aks-cve-feed].
+In general, Microsoft does not broadly communicate the release of new patch versions for AKS. However, Microsoft constantly monitors and validates available CVE patches to support them in AKS in a timely manner. If a critical patch is found or user action is required, Microsoft [notifies you to upgrade to the newly available patch][aks-cve-feed].
 
 ## Security Reporting
 
@@ -92,7 +94,7 @@ If you prefer to submit a report without logging in to the tool, send email to [
 
 You should receive a response within 24 hours. If for some reason you don't, follow up with an email to ensure we received your original message. For more information, go to the [Microsoft Security Response Center][microsoft-security-response-center].
 
-Include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+Include the following requested information (as much as you can provide) to help us better understand the nature and scope of the possible issue:
 
   * Type of issue (for example, buffer overflow, SQL injection, cross-site scripting, etc.)
   * Full paths of source file(s) related to the manifestation of the issue
@@ -104,7 +106,7 @@ Include the requested information listed below (as much as you can provide) to h
 
 This information helps us triage your reported security issue quicker.
 
-If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program][microsoft-bug-bounty-program-overview] page for more details about our active programs.
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. For more information about our active programs, see [Microsoft Bug Bounty Program][microsoft-bug-bounty-program-overview].
 
 ### Policy
 
