Michael Cherry, analyst, Directions on Microsoft.

"Making these kinds of predictions is like saying when you're going to ship. If you're right, no one pays attention. But if you're wrong, they'll rub your nose in it.

"Actually, I don't want to set my mindset to a certain number of vulnerabilities, or say a certain number is acceptable. I don't care if it's only one vulnerability, because if it's really, really bad, that's worse than 20 cosmetic bugs. Better, I think, would be to set a goal that says 80% of the vulnerabilities in the first year will be [rated] important or less.

"Fathi should have said, 'We are just not going to discuss counting' and leave it at that.

Graham Cluley, senior technology consultant, Sophos PLC.