VMware works hard to build products that our customers trust in the most critical operations of their enterprises. We recognize that unless our products meet the highest standards for security, customers will not be able to deploy them with confidence. This VMware Security Response Policy documents our commitments for resolving possible vulnerabilities in our products so that our customers can be assured that any such issues will be corrected in a timely fashion.

Classes of Vulnerabilities in VMware Products

Critical Vulnerabilities

Vulnerabilities that can be exploited by an unauthenticated attacker from the Internet or those that break the guest/host Operating System isolation. The exploitation results in the complete compromise of confidentiality, integrity, and availability of user data and/or processing resources without user interaction. Exploitation could be leveraged to propagate an Internet worm or execute arbitrary code between Virtual Machines and/or the Host Operating System.

Important Vulnerabilities

Vulnerabilities that are not rated critical but whose exploitation results in the complete compromise of confidentiality and/or integrity of user data and/or processing resources through user assistance or by authenticated attackers. This rating also applies to those vulnerabilities which could lead to the complete compromise of availability when exploitation is by a remote unauthenticated attacker from the Internet or through a breach of virtual machine isolation.

Moderate Vulnerabilities

Vulnerabilities where the ability to exploit is mitigated to a significant degree by configuration or difficulty of exploitation, but in certain deployment scenarios could still lead to the compromise of confidentiality, integrity, or availability of user data and/or processing resources.

Low Vulnerabilities

All other issues that have a security impact. Vulnerabilities where exploitation is believed to be extremely difficult, or where successful exploitation would have minimal impact.

How to Report a Vulnerability

VMware encourages users who become aware of a security vulnerability in VMware products to contact VMware with details of the vulnerability. VMware has established an email address that should be used for reporting a vulnerability. Please send descriptions of any vulnerabilities found to security@vmware.com. Please include details on the software and hardware configuration of your system so that we can duplicate the issue being reported.

Note: We encourage use of encrypted email. Our public PGP key is found at kb.vmware.com/s/article/1055.

VMware hopes that users encountering a new vulnerability will contact us privately as it is in the best interests of our customers that VMware has an opportunity to investigate and confirm a suspected vulnerability before it becomes public knowledge.

In the case of vulnerabilities found in third-party software components used in VMware products, please also notify VMware as described above.

VMware's Response to Reported Vulnerabilities in Its Products

Security Vulnerability Sources Monitored

VMware receives private reports on vulnerabilities via its mailbox, from customers and from VMware field personnel. VMware also monitors public repositories of software security vulnerabilities to identify newly discovered vulnerabilities that may affect one or more of our products.

Acknowledgement and Initial Analysis

After receipt of a report of a vulnerability, VMware will triage the report and determine which products are affected and what the severity of the vulnerability is. VMware will provide feedback to the reporter of the vulnerability and work with them to fix the issue.

In the event of a public report where there is no available fix, VMware will acknowledge the report by publishing a Knowledge Base article. This information will include references to the public sources reporting the vulnerability. Whenever possible, it will include steps users can take to protect their VMware system from exploitation of the vulnerability.

Fix or Corrective Action

VMware will release of a fix for the reported vulnerability. The fix may take one or more of these forms:

• A new major or minor release of the affected VMware product
• A new maintenance or update release of the affected VMware product
• A patch that can be installed on top of the affected VMware product
• Instructions to download and install an update or patch for a third-party software component that is part of the VMware product installation
• A corrective procedure or workaround that instructs users in adjusting the VMware product configuration to mitigate the vulnerability

VMware Customer Notification

When a fix or corrective action for a vulnerability becomes available, VMware will notify its customers by the following means:

• VMware Knowledge Base article and/or release notes which details the fix or corrective action.
• VMware Security Advisory which details the security vulnerability and provides a reference to the KB article and/or release notes.

Note: VMware Security Advisories are posted at www.vmware.com/security/advisories and are sent to subscribers of the VMware Security Announce mailing list. One can subscribe to this list by entering their email address in the “Sign-up for Security Advisories” box on www.vmware.com/security/advisories.

Product Versions that VMware Will Fix

VMware Life Cycle Policies specify software support timelines to assist customers with long-term change-management decisions and release strategies. Customers should familiarize themselves with the Life Cycle policy of their product.

VMware's committed response time depends on the severity of the reported vulnerability.

Critical

VMware will begin work on a fix or corrective action immediately. VMware will provide the fix or corrective action to customers in the shortest commercially reasonable time.

Important

VMware will deliver a fix with the next planned maintenance or update release of the product and where relevant, VMware will release the fix in the form of a patch.

Moderate, Low

VMware will deliver a fix with the next planned minor or major release of the product.